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ABSTRACT 



Under a multi-task environment, a tamper resistant micro- 
processor saves a context information lor one program 
whose execution is to be interrupted, where the context 
information conlains information indicating an execution 
state of that one program and the execution code encryption 
key of that one program. An execution of that one program 
can be restarted by recovering the execution state of that one 
program from the saved context information. The context 
information can be encrypted by using the public key of the 
microprocessor, and then decrypted by using the secret key 
of the microprocessor. 

2 Claims, 15 Drawing Sheets 
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FIG.9 
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TAMPER RESISTANT MICROPROCESSOR 

BACKGROUND OF THE INVENTION 

1. I'ield of the Invention 

The present invention relates to a microprocessor that can 
prevent illegal alternation of execution codes and processing 
target data under a multi-task program execution environ- 
ment. 

2. Ocscription of the Background Art 

In recent years, the performance of a microprocessor lias 
improved considerably such that the microprocessor is 
capable of realizing reproduction and editing of video 
images and audio sounds, in addition to the conventional 
functions such as computations and graphics. Uy imple- 
menting such a microprocessor in a system designed for 
cnd-uscr (which will be referred to as PC hereafter), the 
users can enjoy various video images and audio sounds on 
monitors. Also, by combing the function for reproducing 
video images and audio sounds with the computational 
power of the PC, the applicability to games or the like can 
be improved. Such a microprocessor is not designed for any 
specific hardware and can be implemented in a variety of 
hardwares so that there is an advantage that the users who 
already possess PCs can enjoy reproduction and editing of 
video images and audio sounds inexpensively by simply 
changing a microprocessor for executing programs. 

In the case of handling video images and audio sounds on 
PCs, Ihere arises a problem of a protection of the copyright 
of original images or music. In the MD or digital video 
playback devices, unlimited copies can be prevented by 
implementing a mechanism for preventing the illegal copy- 
ing in these devices in advance. It is rather rare to attempt 
the illegal copying by disassembling and altering these 
devices, and even if such devices are made, there is a 
worldwide trend for prohibiting the manufacturing and sales 
of devices altered for the purpose of illegal copying by laws. 
Consequently, damages due to the hardware based illegal 
copyiug are not very serious. 

However, image data and music data are actually pro- 
cessed on the PC by the software rather than the hardware, 
and the end- user can freely alter the software on the PC. 
Namely, if the user has some level of knowledge, it is quite 
feasible to carry out the illegal copying by analyzing pro- 
grams and rewriting the executable software. Tn addition, 
there is a problem that the software for illegal copying so 
produced can be spread very quickly through media such as 
networks, unlike the hardware. 

In order to resolve these problems, conventionally a PC 
software to be used for reproducing copyright protected 
contents such as commercial films or music has employed a 
technique for preventing analysis and alternation by encrypt- 
ing the software. This technique is known as a tamper 
resistant software (sec David Aucsmith et al., "Tamper 
Resistant Software: An Implementation**, Proceedings of the 
1996 Intel Software Developer's Conference). 

The tamper resistant software technique is also effective 
in preventing illegal copying of valuable information includ- 
ing not only video and audio data but also text and know- 
how that is to be provided to a user through the PC, and 
protecting know-how contained in the PC software itself 
from analysis. 

However, the tamper resistant software technique is a 
technique which makes analysis using tools such as de as- 
sembler or debugger diflicult by encrypting a portion of the 



13,374 B2 

2 

program that requires protection before the execution of the 
program starts, decrypting that portion immediately before 
executing that portion and encrypting that portion again 
immediately after the execution of that portion is completed. 

5 Consequently, as along as the program is executable by a 
processor, it is always possible to analyze the program by 
carrying out the analysis step by step starting from the start 
of the program . 

In is fact has been an obstacle for a copyright owner to 

U> provide copyright protected contents to a system for repro- 
ducing video and audio data using the PC. 

The other tamper resistant software applications are also 
vulnerable in this regard, and this fact has been an obstacle 
to a sophisticated information server through the PC and an 
application of a program containing know-how of an enter- 
prise or individual to the PC. 

These are problems that equally apply to the software 
protection in general, bui in addition, the PC is an open 
platform so thai there is also a problem of an attack by 

2n altering the operating system (OS) which is intended to be 
a basis of the system's software conliguralion. Namely, a 
skilled and malicious user can alter the OS of his own PC to 
invalidate or analyze the copyright protection mechanisms 
incorporated in application programs by utilizing privileges 

^ given to the OS. 

The current OS realizes the management of resources 
under the control of the computer and the arbitration of their 
uses by utilizing a privileged operation function with respect 
to a memory and an execution control function provided in 

3 q CPU. Targets of the management include the conventional 
targets such as devices, CPU and memory resources, as well 
as QoS (Quality of Service) at network or application level. 
Nevertheless, the basics of the resource management are still 
allocations of resources necessary for the execution of a 

35 program. Namely, an allocation of a CPU time to the 
execution of that program and an allocation of a memory 
space necessary for the execution are the besics of the 
resource management. "ITie control of the other devices, 
network and application QoS is realized by controlling the 

4(> execution of a program that makes accesses to these 
resources (by allocating a CPU time and a memory space). 

The OS has privileges for carrying out the CPU lime 
allocation and Lhe memory space allocation. Namely, the OS 
has a privilege for interrupting and restarting an application 

45 program at arbitrary timing and a privilege to move a content 
of a memory space allocated to an application program to a 
memory of a different hierarchical level at arbitrary liming, 
in order to carry out the CPU time allocation. The latter 
privilege is also used for the purpose of providing a flat 

5D memory space to the application by concealing (normally) 
hierarchical memory systems with different access speeds 
and capacities from the application. 

Using these two privileges, the OS can interrupt an 
execution state of the application and take a snap shot of it 

55 at arbitrary timing, and restart it after making a copy of it or 
rewriting it. This function can also be used as a tool for 
analyzing secrets hidden in lhe application. 

Tn order to prevent an analysis of the application on a 
computer, there arc several known techniques for encrypting 

60 programs or data (Rampson, U.S. Pat. No. 4,847,902; 
Hartman, U.S. Pat. No. 5,224,166; Davis, U.S. Pat. No. 
5,806,706; Takahashi ct ai., U.S. Pat. No. 5,825,878; Bucr ct 
al., U.S. Pat. No. 6,003,117; Japanese Patent Application 
Laid Open No. 11-252667 (1999), for example). However, 

65 these known techniques do not account for the protection of 
the program operation and the data secrecy from the above 
described privileged operations ol the OS. 
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The conventional technique based on ihe x86 architecture 
of Intel Corporation (llartrnan, U.S. Pat. No. 5,224,166) is 
a technique for .storing the execution codes and data by 
encrypting them by using a prescribed encryption key Kx. 
The encryption key Kx is given in a form of i:** J.Kx] which 
is encrypted by using a public key Kp corresponding to a 
secret key Ks embedded in a processor. Consequently, only 
the processor that knows Ks can decrypt the encrypted 
execution codes on a memory. The encryption key Kx is 
stored in a register inside the processor called a segment 
register. 

Using this mechanism, it is possible to protect the secrecy 
of the program codes from the user to some extent by 
encrypting the codes. Also, it becomes cryptographically 
difficult for a person who docs not know the encryption key 
Kx of the codes to alter the codes according to his intention 
or newly produce codes that arc executable when decrypted 
by using the encryption key Kx. 

However, the system employing this technique has a 
drawback in that the analysis ol the program becomes 
possible by utilizing a privilege ol' the OS called a context, 
switching, without decrypting the encrypted execution 
codes. 

More speciiically, when the execution of the program is 
stopped by the interruption or when the program voluntarily 
calls up a software interruption command due to the system 
call up, the OS carries out the context switching for the 
purpose of the execution of the other program. The context 
switching is an operation lo store an execution state (which 
will be referred to as a context information hereafter) of the 
program indicating a set of register values at that point into 
a memory, and restoring the context information of another 
program stored in the memory in advance into the registers. 

FIG. 15 shows the conventional context storing format, 
used in the x86 processor. All the contents of the registers 
used by the application are contained here. The context 
information of the interrupt ed program is restored into the 
registe rs when the program is restarted. 'Ine context switch- 
ing is an indispensable function in order to operate a 
plurality of programs in parallel. In the conventional 
technique, the OS can read the register values at a time of the 
coutcxt switching, so that it is possible to guess most of the 
operations made by the programs if not all, according to how 
the execution state of that program has changed. 

In addition, by controlling a timing at which the exception 
occurs by setting of a timer or the like, it is possible to carry 
out this processing at arbitrary execution point of the pro- 
gram. Apart from the interruption of the execution and the 
analysis, it is also possible to rewrite the register information 
by malicious intention. The rewriting of the registers can not 
only change the operation of the program but also make the 
program analysis easier. The OS can store arbitrary state of 
the application so that it is possible to analyze the operation 
of the program by rewriting the register values and operating 
the program repeatedly. In addition to the above described 
functions, the processor has a debugging support function 
such as a stepwise execution, and there has been a problem 
that the OS can analyze the application by utilizing all these 
functions. 

As far as data are concerned, U.S. Pal. No. 5,224,166 
asserts that the program can access the encrypted data only 
by the program execution using the encrypted code segment, 
Here, there is a problem that the encrypted data can be freely 
read by the encrypted program by using arbitrary key, 
regardless of Ihe encryption key pv which Ihe program is 
encrypted, even when there are programs encrypted by using 
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mutually dillerent encryption keys. This conventional tech- 
nique does not account for the case where the OS and the 
application have their own secrets independently and Ihe 
secret of Ihe application is lo be protected from the OS or a 
5 plurality of program providers have their own secrets sepa- 
rately. 

Of course, it is possible to separate memory spaces among 
the applications and to prohibit accesses to a system memory 
by the applications by the protection function provided in 

m the virtual memory mechanism even in the existing proces- 
sor. However, as long as the virtual memory mechanism is 
under the management of the OS, the protection of the secret 
of the application cannot rely on the function under the 
management of the OS. This is because the OS can access 

15 data by ignoring the protection mechanism, and this privi- 
lege is indispensable in providing the virtual memory func- 
tion as described above, 

As another conventional technique, Japanese Palenl 
Application Laid Open No. 11-282667 (1999) discloses a 

*° technique of a secret memory provided inside the CPU in 
order lo sU>re the secret information of Ihe application. In 
Ibis technique, a prescribed reference value is required in 
order to access data in the secret memory. However, I his 
reference falls to disclose how lo pro I eel Ihe reference value 

2 * for obtaining the access right with respect to the secret data 
from a plurality of programs operating in the same CPU, 
especially the OS. 

Also, in U.S. Pat. No. 5,1 23,045, Ostrovsky ct al. disclose 

5 0 a system that presupposes the use of sub-p rocessor s having 
unique secret keys corresponding to the applications, in 
which the operation of the program cannot he guessed from 
the access pattern by which these sub-processors are access- 
ing programs placed on a main memory. This is based on a 

^ mechanism for carrying out random memory accesses by 
converting the instruction system for carrying out operations 
with respect to the memory into another instruction system 
different from that. 

However, this technique requires different sub -processors 

m for different applications so that it requires a high cost, and 
the implementation and fast realization of the compiler and 
processor hardware for processing such instruction system 
arc expected to be very difficult as they arc quite different 
from those of the currently used processors. Besides that, in 

4 5 this type of processor, it becomes difficult to comprehend 
correspondences among Ihe data contents and the operations 
even when the data and the operations of the actually 
operated codes are observed and traced so that ihe debug- 
ging of the program becomes very difficult, and therefore 

5( > this technique has many practical problems, compared with 
Ihe other conventional techniques described above in which 
Ihe program codes and the data are simply encrypted, such 
as those of U.S. Pat No. 5,224,166 and Japanese Patent 
Application Laid Open No. 11-282667. 

55 SUMMARY OF 1HH INVENTION 

Therefore the lirsl object of the present invention is lo 
provide a microprocessor capable of surely protecting both 
the internally executed algorithm and the data siaie inside a 
00 memory region from illegal analysis in the mulli-Lask envi- 
, ronment even when the execution is stopped by the inter- 
ruption. 

This lirsl object is motivated by Ihe fact that Ihe conven- 
tional techniques are capable of protecting values of Ihe 
65 program codes but arc incapable of preventing the analysis 
utilizing the inlerruption of the program execution by the 
exception occurrence or the debugging function. Thus the 
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present invention aims a l providing a microprocessor 
capable of surely protecting die codes even at a lime of the 
program execution interruption, in which this protection is 
compatible with both the execution control function and the 
memory management function required by the current OS. 

The second object of the present invention is to provide a 
microprocessor in which each program can secure a cor- 
rectly readable/writable data region independently even 
when a plurality of programs encrypted by using different 
encryption keys are to lie executed. 

'Ihis second object is motivated by the fact that the 
conventional technique of U.S. Pat. No. 5,224,166 only 
provides a simple protection in which accesses to the 
encrypted data region by non -encrypted codes are 
prohibited, and it has been impossible for a plurality of 
programs to protect their own secrets independently, t hus 
the present invention also alms at providing a microproces- 
sor which has a data region for protecting secret of each 
application from the OS when a plurality of applications 
have their respective (encrypted) secrets. 

'Ihe third object of the present invention is to provide a 
microprocessor capable of protecting the protected attributes 
(i.e., encrypted attributed) of the above described data region 
from illegal rewriting by the OS. 

'Ihis third object is motivated by the fact that, the con- 
ventional technique of U.S. Hat. No. 5.224,166 has a draw- 
back in that the OS can rewrite the encrypted attributes set 
in the segment register by interrupting the execution of the 
program using the context switching. Once the program is 
put in a state where data arc written in a form of plaintext by 
rewriting the encrypted attributes, data wilt not written into 
a memory without encryption. Liven if the application 
checks the segment register value at some timing, the result 
is the same if the register value is rewritten after that. Thus 
the present invention also aims at providing a microproces- 
sor provided with a mechanism which is capable of prohib- 
iting such an alteration or detecting such an alteration and 
taking appropriate measure against such an alteration. 

'Ihe fourth object of the present invention is to provide a 
microprocessor capable of protecting the encrypted 
attributes from the so called chosen-plaintext attack of the 
cryptoanalysis theory, in which the program can use arbi- 
trary value as the data encryption key. 

The fifth object of the present invention is lo provide a 
microprocessor provided with a mechanism for the program 
debugging and feedback. Namely, Ihe present invention 
aims at providing a microprocessor in which Ihe debugging 
of the program is carried out in plaintext and the feedback 
of information on defects is provided lo a program code 
provider (program vendor) in the case of the execution 
failure. 

The sixth object of the present invention is to provide a 
microprocessor capable of achieving the first to fifth objects 
described above in a form thai realizes both a low cost and 
a high performance. 

In order to achieve the first object, the first aspect of the 
present invention has the following features. The micropro- 
cessor which is formed as a single chip or a single package 
reads a plurality of programs encrypted by using code 
encryption keys that are different for different programs, 
from a memory (a main memory, for example) external of 
the microprocessor through a bus interface unit that provides 
a reading function. A decryption unit decrypts these plurality 
of read out programs by using respectively corresponding 
decryption keys, and an instruction execution unit executes 
these plurality of decrypted programs. 
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In the case of interrupting Ihe execution of some program 
among the plurality of programs, a context information 
e nc ry p tin n/de cryption unit that provides an execution slate 
writing function encrypts information indicating a slate of 
5 execution up to an interrupted point of the program to be 
interrupted and the code encryption key of this program, by 
using an encryption key unique to the microprocessor, and 
writes the encrypted information as a context information 
into a memory external of the microprocessor. 

m In the case of restarting the interrupted program, a veri- 
fication unit that provides a restarting function decrypts the 
encrypted context information by using a unique decryption 
key corresponding to the unique encryption key of the 
microprocessor, and restarts the execution of the program 

15 only when the code encryption key contained in the 
decrypted context information (that is the code encryption 
key of the program scheduled to be restarted) coincides with 
the original code encryption key of the interrupted program. 
In addition, in order lo achieve the second and third 

aD objects, the microprocessor also has a memory region (a 
register, for example) inside the processor that cannot be 
read out to Ihe external, and an encrypted attribute writing 
unit (an instruction TLB, for example) for writing encrypted 
attributes for Ihe processing large 1 data of Ihe program into 

2 - the internal memory. Ihe encrypted attributes include the 
code encryption key of Ihe program and an encryption large I 
address range, for example). At least a part of these 
encrypted attributes is contained in the context information. 

50 The context information encryption/decryption unit also 
attaches a signature based on a secret information unique to 
the microprocessor to the context information. In this case, 
the verification unit judges whether the signature contained 
in the decrypted context information coincides with the 

^ original signature based on the secret information unique to 
the microprocessor or not, and restarts the interrupted pro- 
gram only when tlicy coincide. 

In Ihis way, the slate of execution up lo an interrupted 
point of the encrypted program is stored in the external 

4I) memory as die context information, while the protected 
attributes of the execution processing target data are stored 
in the register inside the processor, so that the illegal 
alteration of the data can be prevented. 

In order to achieve the fourth object, the second aspect of 

45 the present invention has the following features. 'ITie micro- 
processor that is formed as a single chip or a single package 
maintains a unique secret key therein that cannot be read out 
to the external. The 1ms interface unit that provides a reading 
function reads the code encryption key that is encrypted by 

5D using a unique public key of the microprocessor correspond- 
ing to the secret key in advance from a memory external of 
the microprocessor. A key decryption unit that provides a 
first decryption function decrypts the read out code encryp- 
tion key by using the secret key of the microprocessor. The 

55 bus interface unit also reads out a plurality of programs 
cucryptcd by respectively different code encryption keys 
from an external memory. A code decryption unit that 
provides a second decryption function decrypts these plu- 
rality of read out programs. The instruction execution unit 

M executes these plurality of decrypted programs. 

In the case of interrupting the execution of some program 
among the plurality of programs, a random number genera- 
tion mechanism generates a random number as a temporary 
key. The context information encrypt ion/deer yp lion unit 

OS writes a first value obtained by encrypting infonnation 
indicating the execution stale of the program lo be inter- 
rupted by using the random number, a second value obtained 
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by encrypting ihis random number by using I he code encryp- 
tion key of the program to be interrupted, and a third value 
obi ained by encrypting this random number by using Ihe 
secret key of the microprocessor, into the exlemal memory 
as the context information. 

In the case of restarting the execution of the program, the 
context information encryption/decryption unit reads out the 
context information from the external memory, decrypts the 
random number of the third value contained in the context 
infonuation by using the secret key, and decrypts the execu- 
tion state information contained in the context information 
by using the decrypted random number. At the same time, 
the random number of the second value contained in the 
context information is decrypted by using the code encryp- 
tion key of the program scheduled to be restarted. The 
random number obtained by decrypting the second value by 
using the code encryption key and the random number 
obtained by decrypting the third value by using the secret 
key are compared with Ihe temporary key, and the execution 
of the program is restarted only when they coincide. 

In this way, the context information indicating the slate of 
execution up to an interrupted point is encrypted by using 
Ihe random number that is generated at each occasion of Ihe 
storing, and the signature using the sec re I key unique to the 
microprocessor is attached, so that the context information 
can be stored in Ihe external memory safely. 

In order to achieve the first to third and sixth objects, the 
third aspect of the present invention has the following 
features. Hie microprocessor that is formed as a single chip 
or a single package reads out a plurality of programs 
encrypted by using the encryption keys that are different for 
different programs, and executes them. 'Ibis microprocessor 
has an internal memory (a register, for example) that cannot 
be read out to the external, and stores the encrypted 
attributes for data to be referred from each program (that is 
the processing target data) and the cucryptcd attribute speci- 
fying information into the register. The context information 
encryption/decryption unit writes a related information that 
is related to the encrypted attribute specifying information 
stored in the register and containing a signature unique to the 
microprocessor, into the external memory. A protect ion tabic 
management unit reads the related information from Ihe 
external memory according to an address of the data to be 
referred by the program. The verification unil verifies Ihe 
signature contained in the read oul related information by 
using the secret key, and permits the data referring by the 
program according lo the encrypted attribute specifying 
information and Ihe read out relaled information only when 
that signature coincides with Ihe signature unique to Ihe 
microprocessor. 

In this configuration, the information to be stored in the 
internal register is attached with the signature and stored into 
the external memory, and only the necessary portion is read 
nut to the microprocessor. The signature is verified at a time 
of reading, so that the safety against the substitution can be 
secured. Liven when the number of programs to be handled 
is increased and the number of the encrypted attributes is 
increased, there is no need to expand the memory region 
inside the microprocessor so that a cost can be reduced. 

According lo one aspect of the present invention there is 
provided a microprocessor having a unique secret key and a 
unique public key corresponding lo Ihe unique secret key 
that cannot be read oul lo external, comprising: a reading 
unit configured to read out a plurality of programs encrypted 
by using diilerem execution code encryption keys from an 
external memory; a decryption unit configured to decrypt the 
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plurality of programs read out. by the reading unil by using 
respective decryption keys; an execution unit configured to 
execute Ihe plurality of programs decrypted by the decryp- 
tion unil; a context information saving unil conligured lo 

5 save a context information for one program whose execution 
is to be interrupted, into the external memory or a conlexl 
information memory provided inside the microprocessor, 
the context information containing information indicating an 
execution state of the one program and the execution code 

m encryption key of the one program; and a restart unit 
configured to restart an execution of the one program by 
reading out the context information from the external 
memory or the context information memory, and recovering 
the execution state of the one program from the context 

15 information. 

Other features and advantages of the present invention 
will become apparent from the following description taken 
in conjunction with the accompanying drawings. 

2D BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 is a block diagram showing a system incorporating 
a microprocessor according to the first embodiment of the 
present invention. 
25 FIG. 2 is a diagram showing an entire memory space used 
in ihe micaiprocessor of FIG. 1. 

FIG. 3 is a block diagram showing a basic configuration 
of a microprocessor according to the second embodiment of 
the present invention. 
*° FIG. 4 is a block diagram showing a detailed configura- 
tion of the microprocessor of FIG. 3. 

FIG. 5 is a diagram showing a page directory and a page 
lable formal used in Ihe microprocessor of FIG. 3. 
5? FIG. 6 is a page table and a key entry format used in the 
microprocessor of 11(1. 3. 

FIGS. 7A and 7B arc diagrams respectively showing 
exemplary data before and after interleaving used in the 
microprocessor of FIG. 3. 
40 FIG. 8 is a diagram showing a How of infonnaUon for a 
code decryption processing to be carried out in the micro- 
processor of FIG. 3. 

FIG. 9 is a diagram showing a CPU register used in the 
microprocessor of FIG. 3. 
45 FIG. 10 is a diagram showing a context saving format 
used in the microprocessor of FIG. 3. 

FIG. 11 is a flow chart for a protection domain switching 
procedure to be carried out in the microprocessor of FIG. 3. 
so FIG. 12 is a diagram showing a flow of information for 
dala encryption and decryption processing to be carried oul 
in ihe microprocessor of FIG. 3. 

FIG. 13 is a diagram conceptually showing a process of 
execution control within a protection domain by the micro- 
55 processor of FIG. 3. 

FIG. 14 is a diagram conceptually showing a process of 
call up and branching from a protection domain to a non- 
protection domain by the microprocessor of FIG. 3. 

FIG. 15 is a diagram showing a context saving format 
b used in a conventional processor. 

DETAILED DESCRIPTION OF THE 
PREFEKRliO EMBODIMENTS 

OS Referring now to FIG. 1 and FIG. 2, the first embodiment 
of a tamper resist am microprocessor according to the present 
invention will be described in detail. 
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This firsl embodimenl is directed to a microprocessor lor 
protecting secrels of Ihe program instructions (execution 
codes) and the context information (execution state) which 
are to lie provided in encrypted forms by using the public 
key (asymmetric key) cryplosyslem, Ixom a user of a target 
system. 

FIG. 1 shows the target system, where a microprocessor 
2101 ol the target, system is connected to a main memory 
2103 through a bus 2102. 

As shown in FIG. 1, in this embodiment, the micropro- 
cessor 2101 has a register file 2111, an instruction execution 
unit 2112, an instruction buffer 2113, a public key deseryp- 
lion function 2114, a secret key register 2115, a common key 
decryption function 2116, a common key register 2117, a 
HIU (Hus Interface Unit) 2118, a register buffer 2119, a 
public key regisler 2120, an encryption funcLion 2121, a 
decryption function 2122, and a previous common key 
register 2123. which will be described in further detail 
below. 

First, the terms to be used in the following description will 
be described, and the operation of general ope rating system 
(OS) and application programs will be described briefly. A 
program is a set of data and a scries of machine language 
instructions written for some specific purpose. The OS is a 
program for managing resources of the system, and the 
application is a program to be operated under tbe resource 
management of the OS. This embodiment presupposes the 
multi-task system, so that a plurality of application programs 
will be operated in a quasi parallel manner under (he 
management of the OS. Each one of these programs that arc 
operated in the quasi parallel manner will be referred to as 
a process. There are cases where a set of processes for 
executing the processes for the same purpose will be 
referred lo as a task. 

The instructions and data of the application program arc 
usually stored in files on a secondary memory. They arc 
arrauged on a memory by a loader of the OS and executed 
as a process. The execution of the program is often inter- 
rupted by an exception (or interruption) processing of the 
processor caused by input/output or the like. A program for 
carrying out the exception processing will be referred lo as 
an exception handler. The exception handler is usually set up 
by the OS. The OS can process an exception request from 
the hardware, interrupt the operation of the application and 
restart or start the operation of another application at arbi- 
trary timing. The interruptions of the process include tran- 
sitory cases where the execution of the original process is 
restarted without switching processes after the execution of 
the exception handler, and cases requiring the process 
switching. Examples of the former include a simple timer 
increment and examples of the la tier include a virtual 
memory processing due to tlie page exception. 

The object of this embodiment is to protect the program 
instructions (execution codes) and the execution state from 
a user of the target system who can freely read the main 
memory of the target system and freely alter the OS program 
or application programs. 

The basic features for achieving this object arc the access 
control with respect to the information storage inside the 
processor and the encryption based on the information listed 
below. 

(1) A common key Kx selected by a program creator, The 
application program will be encrypted by the secret key 
cryptosystem using this key. 

(2) A pair of a unique public key Kp and a unique secret 
key Ks provided inside the processor. The public key can be 
read out by the program by using instructions. 
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(3) An encryption key information in which the common 
key Kx of the program is encrypted by using the public key 
Kp of the processor. 

[Execution of a Plaintext Program] 
5 In is processor is capable of executing a program with 
coexisting plaintext instructions and encrypted instructions 
which is placed on the main memory. Here the operation 
inside the CPU for the execution of a plaintext program will 
be described with references to FIG. 1 and a memory 
]l) arrangement shown in FIG. 2. 

FIG. 2 shows an entire memory space 2201, in which 
programs are placed in regions 2202 to 2204 on the main 
memory, where regions 2202 and 2204 are plaintext regions 
15 while a region 2203 is an encrypted region. A region 2205 
slores a key information lo be used in decrypting the region 
2203. 

1 Tie execution of the program is started as the control is 
shifted from die OS by an instruction for jump Ui a top X of 

20 the program or the like. The instruction execution unit 2112 
executes the instruction for jump to X, and outputs an 
address of the instruction to the HIU 21 18, Ilie content of the 
address X is read through the bus 2102, sent from the BIU 
2118 to the instruction buffer 2113, and sent to the instruc- 

2< tion execution unit 2112 where the instruction is executed. 
Tts operation result is reflected in the register file 2111 . When 
the operation target is reading/writing with respect to an 
address on the main memory 2103, its address value is sent 
to the BIU 2118, that address is outputted from the BTU 2118 

30 to the bus 2102, and data rcading/wriiing with respect to the 
memory is carried out. 

The instruction buffer 2113 has a capacity for storing two 
or more instructions, and the instruclions corresponding lo a 
size of Ihe instruction buffer 2113 are collectively read out 

55 from the main memory 2103. 

[ Execution of Lncrypted Instructions] 
Next, the case of executing an encrypted instruction will 
be described. 'Hie processor of this embodiment has two 
states including the execution of plaintext instructions and 

40 the execution of encrypted instructions, and two types of 
instructions for controlling these states arc provided. One is 
an encryption execution start instruction for making a tran- 
sition from the execution of plaintext instructions to the 
execution of encrypted instructions, and another is a plain- 

45 text return instruction for making a reverse transition. 
[Encryption, Execution Start Instruction] 
The encryption execution start instruction is denoled by 
the following mnemonic "execenc" and takes one operand: 

execenc keyaddi* 

where "kcyaddr" indicates an address where the key infor- 
mation to be used in decrypting tlie subsequent instructions 
is stored. 

55 [Key Information] 

Here, the key information and the program encryption 
will be described. The encrypted region 2203 comprises a 
sequence of encrypted instructions. The inst motions arc 
subdivided into blocks in units of a prefetch queue size and 

00 cucryptcd by the secret key algorithm such as DES (Data 
Encryption Standard) algorilhm. A key to be used in this 
encryption will be denoted as Kx hereafter. Since the secret 
key algorithm is used, the same key Kx is also used for the 
decryption. 

65 If this Kx is placed on the main memory in a plaintext 
form, a user who can operates the OS of tbe target system 
can easily read it and analyze the encrypted program. In 
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order lo prevenl this, E^fKx] obtained by encrypting Kx by 
using the public key Kp of the processor will be placed in the 
region 2205 of ihe memory. A top address of this region is 
indicated by *'keyaddr". 

It is cryplographically (computationally) impossible to 
decrypt Kx from E Kp [Kx] unless one knows Ks correspond- 
ing to the public key Kp. Consequently, the secret of the 
program will never l>e leaked to the user as long, as the user 
of the target system docs not know Ks. This Ks is stored in 
a form that cannot be read out from the external, inside the 
processor. Tlie processor can decrypt Kx internally without 
allowing the user lo learn about it, and the processor can also 
decrypt the encrypted program by using Kx and execute it. 

Iu the following, the encryption execution start instruction 
and the subsequent Ihe execution of the encrypted instruc- 
tion will be described in detail, Uy the execution of the Jump 
instruction in a region 2207, the control is shifted to the 
encryption execution start instruction at the address "start". 
At the address indicated by the operand "keyaddr" of the 
encryption execution start instruction, the content of the 
specified region 2205 is read out to the instruction execution 
unit 21 12 of the processor as data. Ihe instruction execution 
unit 2112 sends this data EjJKx] to the public key decryp- 
tion function 2114. Ihe public key decryption function 2114 
takes out Kx by decrypting \i K/ l Kx] by usi ng a secret key Ks 
unique to the processor which is stored in the secret key 
register 2115, and stores it in the common key register 2117. 
Then, the processor enters the encrypted instruction execu- 
tion state. 

Here, it is assumed that the processor package is manu- 
factured such that the contents stored in the secret key 
register 2115 and the common key register 2117 cannot be 
read out to the external by the program or the debugger of 
the processor chip. 

By executing Ihe encryption execution start instruction, 
the key to be used in decrypting the subsequent instructions 
is stored into the common key register 2117, and the 
processor is entered into the encrypted instruction execution 
state. When the processor is in the encrypted instruction 
execution state, Ihe instructions read Ijom the main memory 
2103 are sent from the BIU 2118 to a common key decryp- 
tion function 2116, decrypted by using the key information 
stored in the common key register 2117 and stored into Ihe 
instruction buffer 2113. 

In Ihis embodiment, the program encrypted by using Ihe 
key Kx which is stored in the region 2204 next lo the 
encryption execution start instruction will be decrypted, 
stored in the instruction buffer 2113, and executed. The 
reading is carried out in units of a size of the instruction 
buffer 2113. TIG. 2 shows an exemplary case where the size 
of the instruction buffer 2113 is 64 bits, and four instructions 
of 16 bits size each are collectively read out to the instruc- 
tion buffer 2113. 

[Plaintext Return Instruction] 

'Ihe processor in the encrypted instruction execution state 
returns to the plaintext instruction execution state by the 
execution of the plaintext return instruction. 

The plaintext return instruction is denoted by the follow- 
ing mnemonic: 

exitcne 

which Lakes no operand. By execution of Ihis instruction, the 
reading of the instructions from the main memory 2103 is 
carried out through a path thai does not pass through the 
common key decryption function 2116, and the processor 
returns to the execution of the plaintext instructions. 

Note that when Ihe encryption execution start instruction 
is executed again during the execution of the encrypted 
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instruction, the instruction decryption key is changed such 
that the subsequent instructions are decrypted by using a 
different key and executed. 

[C Context Saving and Attack Against It] 

5 Next, the safe saving of the execution slate in order lo 
protect the secret of the application program in the multi- 
task environment will be described. 

The register file 2111 of this processor has 32 general 
purpose registers (kO to R31). R31 is used as a program 

m counter. 'I lie contents of the general purpose registers arc 
stored in the register file 2111. When the exception occurs 
during the execution of the encrypted program as described 
above, the contents of the register file 2111 arc moved to the 
register huffcr 2119, and the contents of the register file 2111 

J5 arc initialized by a prescribed value or a random number. 
Then, the value of the common key used for decryption of 
the encrypted program is stored in the previous common key 
register 2123. Only when these two types of initialization arc 
completed, the control is shifted to the exception handler and 

2n the instructions of the exception handler are executed. The 
instructions of the execptiou handler arc assumed to be 
non-encrypted. 

By this register lile initialization function, in the processor 
of this embodiment, the reading of the register values 

25 processed by the encrypted program by the exception han- 
dler program is prevented even in the case where the control 
is shifted to Ihe exception handler as an exception occurs 
during the execution of the encrypted program. At Ihe same 
time, the contents of the register file 2111 are saved in the 

30 register buffer 2119, and there is a function lor recovering 
the register buffer contents and for storing ibera into the 
memory as will be described below, so as to enable the 
restart of the encrypted program. 

Now, tlie register contents stored in tlie register buffer 

35 2119 cannot be read out directly from the uou-encrypted 
program of the exception liandler. 'Hie non-encrypted pro- 
gram of the exception handler is only allowed to perform the 
following two operations with respect lo the register buffer 
2119. 

4|) (1) Recover the register buffer contents and restart the 
execution of the original encrypted program. 

(2) lincrypting the register buffer contents and store them 
iuto the memory, and execute the OS program or another 
encrypted program. 

45 I n the case of ( I ), when the exception handler processing 
such as the increment of the counter is finished, the excep- 
tion handler issued a "eont" (continue) instruction. When the 
"conf 1 instruction is executed, the contents of the register 
buffer 2119 and the previous common key register 2123 arc 

5() recovered in the register file 2111 and the common key 
register 2117, respectively. The program counter is con- 
tained in the register file 2111, so that the execution of the 
cucryptcd program is restarted by setting the control back to 
a point where the execution of the encrypt program was 

;< interrupted. For the decryption of the encrypted program 
after the restart, the value recovered from the previous 
common key register 2123 will be used. Similarly as the 
contents of the regisler buffer 2119, Ihe program cannol 
rewrite the previous common key register 2123 explicitly. 

The case of (2) corresponds lo Ihe case where Ihe process 
switching occurs at a timing of the execution of the excep- 
tion handler. In this case, the exception handler or a task 
dispatcher of the processor issues a ^savereg" (save regisler) 
instruction for saving the contents of the register buffer 2119 

05 into the memory. This "savereg" instruction is denoted by 
Ihe following mnemonic; 

savcrcg dest 
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ami lakes one operand '\1esl" indicating an address to which 
tlic register buffer contents are to be saved. 

When Ihe "savereg" instruction is issued, the contents of 
the register buffer 2119 and the previous common key 
register 2123 are encrypted by the encryption function 2121 
by using the public key Kp of the processor stored in the 
public key register 2120, and saves at an address on the main 
memory 2103 specified by "dest" through the BIU 2118. JTie 
main memory 2103 is outside the processor so that it has a 
possibility of being accessed by the user, but these contents 
are encrypted by the public key of the processor so that the 
user who does not know the secret key of the processor 
cannot learn the register buffer contents. 

After the register buffeT contents are saved, the OS 
activates another encrypted program by the method 
described above. If another encrypted program is activated 
without saving the register buffer contents, the register 
buffer contents would be rewritten to those of another 
encrypted program when the execution of another encrypted 
program is interrupted, and it would become impossible to 
restart the original encrypted program as the register buffer 
contents for the original encrypted program arc lost. 

Here, the number of the register buffer is assumed to be 
one, but it is also possible to provide a plurality of register 
buffers so as to be able to deal with multiple exceptions. 

[Recovery Procedure] 

Next a procedure for recovering the saved executiou state 
will be described. 

At a time of restarting the interrupted application, a 
dispatcher of the OS issues a "revrreg" (recover register) 
instruction. This "revrreg" instruction is denoted by Ihe 
following mnemonic: 

and lakes one operand "addr" indicating an address at which 
the execution state is saved. 

When the "revrreg" instruction is issued, the encrypted 
execution stale information is taken out from the address of 
the memory specilied by ' 'addr" by the BIU 2118 of the 
processor, decrypted by using the secret key Ks of the 
processor by the decryption function 2122, and Ihe register 
information is recovered in the register file 2111 while the 
program decryption key is recovered in the common key 
register 2117. When Ihe recovery is completed, the execu- 
tion of the interrupted program is restarted from a point 
indicated by the program counter. At this point, the key Kx 
recovered from the execution state information will be used 
for decryption of the encrypted program. 

The detail of the saving and the recovery of the execution 
state in relation to the interruption of the encrypted program 
due to exception has been described above. As already 
described above, the encrypted programs arc safe against 
attacks from the user who can operate the OS of the target 
system. 

Next, the safety of the above described scheme against 
two types of attacks against the execution state will be 
described. 

[Attacks Against the Execution State] 

There arc two types of attacks against the execution state 
that is generated in a process of the application execution. 
One is the peeping of the saved execution stale by an 
attacker, and the other is the rewriting of the execution state 
lo a desired value by an attacker. 

Here, the following two terms for expressing the illegal 
accesses to the execution state will be defined. First, the 
program that has generated the execution stale will be 
referred to as an original program for that execution stale. 
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The original program can be restarted by recovering the 
execution state in the registers. On the other hand, programs 
other than the program that has generated Ihe execution 
slate, that is programs encrypted by encryption keys differ- 

5 eat from that of the origiual program or plaintext programs, 
will be referred lo as other programs. 

1 Tie illegal accesses or the attacks with respect to the 
execution state generated by some original program are 
defined as an act of directly analyzing the execution state on 

in the memory by some method independently from the opera- 
tion of the processor by a third party who does not know the 
encryption key of the original program, or an act of analyz- 
ing the execution state or rewriting the execution state to a 
desired value by a third party utilizing the other programs 

15 operated on the same processor. 

In the microprocessor of this embodiment, the execution 
state is protected by the following three types of mecha- 
nisms so as to prevent the illegal accesses utilizing the 
access to the memory' external of the processor or the other 

in programs. 

First, in this embodiment, the register information is 
saved in the register buffer 2119 when the execution of the 
encrypted program is interrupted. Then, the register buffer 
2119 and the previous common key register 2123 cannot be 

2? accessed by any methods other than that using the "revrreg" 
instruction or the "savcrcg" instruction, so that the other 
programs cannot read their contents freely. 

In Ihe conventional processor, the register contents at a 
time of the exception occurrence can be freely read by the 

30 exception handler program. In Ihe microprocessor of this 
embodiment, the register contents are saved in Ihe register 
buffer 2119 so as to prohibit the reading from the other 
programs, and the instruction for saving the register bufler 
contents by encrypting them by using the public key of the 

35 processor is provided so as lo prevent the peeping of the 
execution slate saved on Ihe memory by the user of the 
system. 

The second attacking method includes a method for 
reading values of the registers contained in the execution 

4i > state by placing tlie instruction of some other program 
known lo Ihe all acker at Ihe same memory address as the 
original program such thai this other program reads the 
encrypted execution state. 

In Ihe microprocessor of this embodiment, Ihe encrypted 

45 execution state contains the program encryption key, and 
this key will be used in decrypting the encrypted program at 
a time of restart. Ilecause of this mechanism, even when the 
other program other than the original program attempts to 
read the execution state, the key for docs not match so that 

5i) the program cannot decrypted correctly and the program 
cannot be executed according to the intention of the attacker, 
Thus the second attacking method is impossible in the 
microprocessor of this embodiment. 
This effect cannot be realized by simply encrypting the 

55 execution state itself by the public key of the processor, but 
can be realized by encrypting the decryption key of the 
original program and the execution state integrally. 

Note that, in order to maximize this effect, values of the 
registers (R0 to R31) and the common key Kx should 

60 preferably be stored in the identical cipher block at a time of 
Ihe encryption using Ihe public key. 
[Data Protection] 

In the microprocessor of this embodiment, Ihe encryption 
of the data is not accounted, but it should be apparent lo 
OS those skilled in the art that it is possible to add the data 
encryption function to the microprocessor of this embodi- 
ment similarly as the data encryption in the microprocessor 
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for supporting the virtual memory which will be described to this microprocessor. Now, consider ihe case of purchasing 

in the second embodiment. a desired execution program A from some program vendor 

Referring now to I'Kl. 3 to I '1(3. 14, the second embodi- and execuling it. The program vendor encrypts the program 

nient of a tamper resistant microprocessor according to the Aby using a common execution code encryption key Kcode 

present invention will be described in detail. 5 (Li^^A]) before supplying the execution program A, and 

In this embodiment, the microprocessor according to the lbe comnum kev Kcode used lor encryption in a form 
present invention will be descried for an exemplary case of encrypted t>v using the public kev Kp of the microprocessor 
using an architecture based on the widely used Ftentium Pro 101 {u [Kcode]) to the microprocessor 101. lbe micro- 
rmcroproccssor of the Intel corporation, but the present pmcesso ' r m is a multi-task processor which processes not 
f^u^^^ 1 ^^ hmitcd to this particular architecture. In the ^ fe execution program A but also a plurality of 
following description, features specihe to the Pentium Pro . ' t * j • - n . . 
microprocessor Jrchiledure will be noted and applications dl * 6re " programs ma qua* parallel wanner (that 
to the other architectures will be mentioned. » "? '"'"mpt.ons) Also, the m. coprocessor 101 

Note that the Pentium Pro architecture distinguishes three ohv.ously executes not only the encrypted programs but also 

types of addresses in Ihe address space including physical plaintext programs. 

addresses, linear addresses and logical addresses, but Ihe 15 'Ine microprocessor 101 reads out a plurality of programs 

linear addresses in the Pentium terminology will also be encrypted by using different execution code encrypt ion keys 

referred to as logical addresses in this embodiment. from a main memory 281 external of the microprocessor 101 

In the following description, the prolecLion implies Ihe through the bus interface unit (reading function) 112. I he 

protection of secrets of applications (that is the protection by execution code decryption unit 212 decrypts these plurality 

encrypt ion), unless otherwise stated. Consequently, the pro- 2f> of read out programs by using respectively corresponding 

tcction in this embodiment should be clearly distinguished decryption keys, and the instruction execution unit 115 

from the ordinarily used concept of protection, that is the executes these plurality of decrypted programs, 

prevention of disturbances on the operations of the other In the case of interrupting the execution of some program, 

applications due to the operation of some application. the context information cncryptioa'dccryption unit 254 of 

However, in the present invention, it is assumed that the 25 the exception processing unit 131 encrypts information 

operation protection mechanism in the ordinary sense is of indicating the execution state up to an interrupted point of 

course provided by the OS (although the description of this the program to be interrupted and the code encryption key of 

aspect will be omitted as it is unrelaled to the present Ihis program by using the public key of the microprocessor 

invention), in parallel to the protection of secrets of appli- 101, and writes the encrypted information into the main 

cations according to the present invention. 30 memory 281 as Ihe context information. 

Also, iu the following description, a machine language In Ihe case of restarting the interrupted program, the 

instructions that arc executable by the processor will be execution code encryption key and signature verification 

referred to as instructions, and a plurality of instructions will unit 257 decrypts the encrypted context information by 

be collectively referred to as an execution code or an using the secret key of Ihe microprocessor 101, verifies 

instruction stream. A key used in encrypting Ihe instruction 35 whether the execution code encryption key contained in Ihe 

stream will be referred to as the execution code encryption decrypted context information (that is the execution code 

key. encryplionb key of the program scheduled to be restarted) 

Also, in the following description, the secret protection coincides wilh the original execution code encryption key of 

mechanism will be described as protecting secrets of appli- Ihe interrupted program, and restarts the execution of the 

cations under the management of the OS, but this media- 4i> program only when they coincide. 

nism can also be utilized as a mechanism for protecting Ihe Here, before describing the detailed coniigu ration and 

OS itself from alteration or analysis. functions of the microprocessor 101, the processing proce- 

IKi. 3 shows a basic configuration of the microprocessor dure for the execution of plaintext instructions and the 

according to this embodiment, and FIG. 4 shows a detailed execution of encrypted programs by the microprocessor 101 

configuration of the microprocessor shown in J KJ. 3. 45 will be outlined. 

f lhe microprocessor 101 has a processor core 111, an When the microprocessor 101 executes a plaintext 

instruction TI.H flahle lookup Huffier) 121, an exception instruction, the instruction fetch/decode unit 214 attempts to 

processing unit 131, a data TIJ J (Table Lookup Uuffer) 141, read the content of an address indicated by a program 

a secondary cache 152. The processor core 111 includes a bus counter (not shown) from an Ll instruction cache 213. If the 

interface unit 112, a code and data encryption/decryption 5t> content of the specified address is cached, the instruction is 

processing unit 113, a primary cache 114, and an instruction read out from the l/l instruction cache 213, sent to the 

execution unit 115. instruction table 215, and executed. The instruction table 

Ihe instruction execution unit 115 further includes an 215 is capable of executing a plurality of instructions in 

instruction fetch/decode unit 214, an instruction table 215, parallel, and requests reading of data necessary for carrying 

an instruction execution switching unit 216, and an instruc- 55 out the execution to the instruction execution switching unit 

tion execution complctiag unit 217. 216 and receives the data. When the instructions arc 

The exception processing unit 131 further includes a executed in parallel and their execution results arc 

register file 253, a context information encryption/ determined, the execution results arc sent to the instruction 

decryption unit 254, an exception processing unit 255, a execution completing unit 217. The instruction execution 

secret protection violation detection unit 256, and an execu- GO completing unit 217 writes the execution result into the 

lion code encryption key and signature verification unit 257. register file 253 when Ihe operation target Ls a register inside 

The instruction TLB 121 further includes a page table the microprocessor 101, or into an Ll data cache 218 when 

buller 230, an execution code decryption key lable buller Ihe operation target is a memory. 

231, and a key decryption unit 232. The data TLB 141 The content of the Ll data cache 218 is cached once again 

further includes a protection table management unit 233. 65 by an L2 cache 152 under the control of the bus interface 

The microprocessor 101 has a key slorage region 241 for unit 112, and wrillen into Ihe main memory 281. Here, the 

storing a public key Kp and a secret key Ks which are unique virtual memory mechanism is used, where a correspondence 
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between I he logical memory address and Ihe physical 
memory address Ls defined by a page table shown in 1IG. 5. 

The page table is a data structure placed on the physical 
memory. The data TLB 141 actually carries out a conversion 
from the logical address to the physical address, and at the 5 
same time manages the data cache. The data TLB 141 reads 
a necessary portion of the table according to a top address of 
the table indicated by a register inside the microprocessor 
101, and carries out tlie operation for converting the logical 
address into the physical address. At this point, only the 
necessary portion of the page table is read out to a page table 
buffer 234 according to the logical address to be accessed, 
rather than reading out the entire page table on the memory 
to the data TLB 141 . 

'I lie basic cache operation is stable regardless of whether 
the instructions of the program arc encrypted or not. Namely, 
a part of the page table is read out to the instruction TLB 
121, and the address conversion is carried out according to 
the definition contained therein. The bus interface unit 112 
reads instructions from the main memory 281 or the X2 
cache 152, and instructions arc stored in the LI instruction 
cache 213. The reading of instructions out to the LI instruc- 
tion cache 213 is carried out in units of a line formed by a 
plurality of words, which enables a faster access than the 
reading in word units. 

The address conversion utilizing the same page table on 
the physical memory is also carried out for the processing 
target data of the executed instructions, and the execution of 
the conversion is carried out at the data TLB 141 as 
described above. 

The operation up to this point is basically the same as the 
general cache memory operation. 

Next, the operation in the case of executing an encrypted 
program will be described. In this embodiment, it is assumed 
that the execution codes for which secrets are to be protected 
are all encrypted, and the encrypted execution codes will 
also be referred to as protected codes. In addition, a range of 
the protection by the same encryption key will be referred to 
as a protection domain. Namely, a set of codes protected by 
the same encryption key is belonging to die same domain, 
and codes protected by different, encryption keys are belong- 
ing to different protection domains. 

First, the execution codes of a program encrypted by the 
secret key scheme block cipher algorithm are stored on Ihe 
main memory 281. A method for loading the encrypted 
program transmitted from a program vendor will be men- 
tioned below. 

A cipher block size of the execution codes can l>e any 
value as long as two to the power of the block size coincides 
with a line size that is a unit for reading/writing with respect 
to the cache memory. However, if the block size is so small 
that a block length coincides with an instruction length, there 
arises a possibility for analyzing the instruction easily by 
recording a correspondence between encrypted data and a 
predictable portion of the instruction such as a top portion of 
a sub-routine. For this reason, in this embodiment, the 
blocks arc interleaved such that there is a mutual depen- 
dency among data in the blocks and the encrypted block 
contains information on a plurality of instruction words or 
operands. In this way, it is made difficult to set a correspon- 
dence between the instruction and the encrypted block. 

FIGS. 7Aand 7B show an example of the interleaving that 
can be used in this embodiment. In this example, it is 
assumed that the line size of the cache is 32 bytes and the 
block size is 64 bits (i.e., 8 bytes). As shown in FIG. 7 A, 
before the interleaving, one word is formed by 4 bytes, so 
thai a word A is formed by 4 bytes of AO to A3. One line is 
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formed by 8 words of A to H. When this is interleaved in 
units of 8 byles corresponding to the block size of 64 bits, 
as show r n in I'Ki. 7U, AO, BO, . . . , 110 are arranged in the 
first block corresponding to word 0 and word 1, Al, HI, 
HI are arranged in the next block, and so on. 
An attack can be made more difficult by setting a length 
of a region to be interleaved longer, but the interleaving of 
a region with a length longer than the line size makes the 
processing more complicated and lowers the processing 
speed because the decryption/encryption of one cache line 
would depend on reading/writing of another line. 'Hius it is 
preferable to set a range for interleaving within a range of 
the cache line size. 

Here the method for interleaving data of blocks is used 
such that there is a mutual dependency among data in a 
plurality of blocks contained in the cache line, but it is also 
possible to use the other method for generating a depen- 
dency among data blocks, such as the CBC (Cipher Block 
Chaining) mode of Lhe block cipher. 

The decryption key Kcode (which will also be referred to 
2n as the encryption key hereafter even in the case of decryp- 
tion because the encryption key and the decryption key arc 
identical in the secret key algorithm) of the encrypted 
execution codes is determined according to the page table. 
FIG. 5 and FIG. 6 show a table structure of the conversion 
25 from the logical address to the physical address. 

A logical address 301 of the program counter indicates 
some value, and a directory 302 and a table 303 constituting 
its upper bits specify a page eniry 307-j. The page entry 
307-; contains a key entry ID307-;-A; and a key entry 309-m 
30 to be used for decryption of this page is determined in a key 
table 309 according to this ID. The physical address of the 
key table 309 is specified by a key table control register 308 
inside the microprocessor. 

In this oonligu ration, Ihe ID of the key entry is set in the 
35 page entry rather than setting the key information directly, 
such that the key information in a large size is shared among 
a plurality of pages so as to save a limited size of a memory' 
region on the instruction TLB 121. 

In further detail, the page table and key table information 
4U is stored into the instruction TLB 121 as follows. Only 
portions necessary for the access to the memory is read out 
from the page tables 306, 307 and 311 to the page table 
buffer 230, and from the key table 309 to tlie execution code 
decryption key table buffer 231. 
45 1 n a state of bei ng stored on the m ai n memory, a reference 
counter of the key object 309-m which is an element of the 
key table 309 indicates the number of page tables that refer 
to this key object. In a state where the key object is read out 
to the execution code decryption key table buffer 231, this 
5i> reference counter indicates the number of page tables that 
refer to this key object and that are read out to the page table 
buffer 230. This reference counter will be used for judge- 
ment at a time of deleting any unnecessary key object from 
the execution code decryption key tabic buffer 231. 
55 One of the features of this embodiment is that the key 
table entry has a fixed length but a key length used in each 
table is made variable in order to be able to deal with a 
higher crypto an a lytic power, and specified at a key size 
region of the key tabic. It implies that the secret key Ks 
60 unique to the microprocessor 101 is fixed but the length of 
Kcode to be used for encryption and decryption of the 
program can be changed by the specification of the kc3' 
eulry. In order to specify a position of the variable length 
key, the key entry 309- w has a field 309-/H-4 pointing to the 
GS key entry, which indicates an address of the key object 310. 
In the key object region 310, the execulion code encryp- 
tion key Kcode is stored in a form E^Kcode] encrypted by 
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Ihe public key algorithm using the public key Kp of the 
microprocessor 101. In order lo encrypl data safely in the 
public key algorithm, a large redundancy is necessary, so 
tli at a length of the encrypted data becomes longer than a 
length of Ihe original data. Here, lengths of Ks and Kp are 
set to be 1024 bits, a length of Kcodc is set to be 64 bits, 
which is extended to 256 bits by padding, and li[Kcode] is 
encrypted in a length of 1024 bits and stored in tlie key 
object region 310. When Kcodc is so long that it cannot be 
stored in 1024 bits, it is divided into a plurality of blocks of 
1024 bits size each and stored. 

FIG. 8 summarizes the information How in Ihe code 
decryption. A program counter 501 indicates au address 
"Addr" on an encrypted code region 502 on a logical address 
space 502. The logical address "Addr" is converted into Ihe 
physical address "Addr"' according lo the page table 307 
that is read out to the instruction TLB 121. At the same time, 
the encrypted code decryption key TJ[Kcode] is taken nut 
from Ihe key table 309, decrypted by using the secret key Ks 
provided in the CPU at a decryption function 506, and stored 
into a current code decryption key memory unit 507. The 
common key Kcodc for the code encryption is encrypted by 
using the public key Kp of the microprocessor 101 by the 
program vendor, and supplied along with the program 
encrypted by using Kcodc, so that the user who docs not 
know the secret key Ks of the microprocessor 101 cannot 
know Kcodc. 

After the program execution codes arc encrypted by using 
Kcode and shipped, the program vendor keeps and manages 
Kcodc safely such that its secret will not be leaked to a third 
parly. 

An entire key tabic 511 and an entire page table 512 are 
placed in a physical memory 510, and their addresses arc 
specified by a key table register 508 and a CR3 register 509 
respectively. From Ihe contents of these entire tables, only 
necessary portions are cached into the instruction TLB 121 
through the bus interface unit 112. 

Now, when a content 503 corresponding to the physical 
address "Addr 1 " as converted by the instruction TLB 121 is 
read out by the bus interface unit 112, this page is encrypted 
so that it is decrypted at a code decryption function 212. 'ITie 
reading is carried out in units of Lhe cache line size, and after 
die decryption in block units, the inverse processing of the 
interleaving described above is carried out. 'Ilie decrypted 
result is stored in the LI instruction cache 213, and executed 
as an instruction. 

I lere, the method for loading the encrypted program and 
die relocation of the encrypted program will be described. 
1'or the loading of a program into the memory, there is a 
method in which a program loader changes an address value 
contained in the execution codes of the program in order to 
deal with a change of an address for loading the program, but 
this method is not applicable to the encrypted program. 
I Iowever, the relocation of the encrypted program is pos- 
sible by using a method of realizing the relocation without 
directly rewriting the execution codes by utilizing a tabic ss 
called Jump table or I AT (Import Address Table). 

Further details of the loading procedure and the relocation 
for general programs can be found, for example, in L. W. 
Allen ct al., ''Program Loading in OSF/1, USENIX winter, 
1991, and the loading method and the relocation for the 00 
encrypled program can be found in Japanese Patent Appli- 
cation No. 2000-35898 of the applicants. 

It is possible to protect the execution codes placed on the 
memory external of the processor by the above described 
method for decrypting the encrypted execution codes of the 
program, reading them out to the cache memory inside lhe 
processor, and executing them. 
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However, the execution codes that are decrypted into 
plain text can exist inside lhe processor. Even if it is impos- 
sible to read them out directly from outside the processor, 
there is a possibility for tlie plaintext program to be read out 
and analyzed by the other programs that are operated in Ihe 
same processor. 

In this embodiment, the key decryption processing by 
using the secret key 241 and the key decryption unit 232 of 
the instruction TLB 121 is not carried out at a time of data 
reading into an LI data cache 218. When the data reading is 
carried out with respect to an encrypted page for which an 
encryption Hag 307-J-E is sel lo "1" in the page table, either 
non-decrypted original data or data of a prescribed value "0" 
will be read out, or else an exception occurs such that the 
normally decrypled data cannot be read out. Note that when 
Ihe encryption ilag 307-J-E in the page table is rewritten, the 
decrypted content of the corresponding instruction cache 
will be invalidated. 

By Ihis mechanism, it becomes impossible for the other 
programs (including Ihe own program) lo read the execution 
codes of the encrypted program as data, and decrypt them by 
utilizing functions of the processor. 

Also, the other programs cannot explicitly read data in the 
instruction cache, so that the safety of the execution codes 
can be guaranteed. The safety of the data will be described 
below. 

Because the encrypted execution codes can be executed in 
this way, in the microprocessor of this embodiment, by 
selecting the encryption algorithm and parameters 
appropriately, it can be made cryplographically impossible 
lor a party who does not know the true value of the execution 
code encryption key Kcodc to analyze the operation of the 
program by dc-asscmbling the execution codes. 

Thus Ihe user cannot know the true value of the execution 
code encryption key Kcode, and it can be made crypto- 
graphic^ 11 y impossible for the user lo make an alteration 
according to (he user's intention such as illegal copying of 
the contents handled by the application by altering a part of 
Ihe encrypted program. 

Nexl, another feature of Ihe microprocessor of this 
embodiment regarding the encryption, signature and its 
verilication lor Ihe context at a lime of interrupting the 
program execution under the multi-task environment will be 
described. 

The execution of the program under the raulli-lask envi- 
ronment is often interrupted by the exception. Normally, 
when the execution is interrupted, a state in the processor is 
saved on the memory, and then the original state is recovered 
at a time of restarting the execution of that program later on. 
In this way, it becomes possible to execute a plurality of 
programs in a quasi parallel manner and accept the inter- 
ruption processing. This information on the state at a time of 
the interruption is called the context information, the context 
information contains information on registers used by the 
application, and in some cases, information on registers that 
arc not explicitly used by the application is also contained in 
addition. 

In the conventional processor, when the interruption 
occurs during the execution of some program, the control is 
shifted to the execution codes of the OS while the register 
state of the application is maintained, so that the OS can 
check the register slate of lhal program lo guess what 
instructions were executed, or alter the context information 
maintained in a plaintext form during the interruption so as 
lo change the operation of the program after the restart of the 
execution of that program. 

In view of this fact, in this embodiment, when the 
interruption occurs during the execution of the protected 
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codes, I he context of Ihe execution immediately before that 
is encrypted and saved while all the application registers are 
either encrypted or initialized, and a signature made by the 
processor is attached to the context information. Hie signa- 
ture is verified at a time of recovery from Ihe interruption, 
to check whether the signature is proper or not. When the 
improper signature is detected, the recovery is stopped so 
that the illegal alteration of the context information by the 
user can be prevented. At this point, the encryption target 
registers arc user registers 701 to 720 shown in FIG. 9. 

In the Pentium Pro architecture, there is a hardware 
mechanism for assisting the saving of the context informa- 
tion of the process into the memory and its recovery. A 
region for saving the state is called TSS (Task State 
Segment). In the following, an exemplary case of applying 
Ihe present invention lo this mechanism will be described, 
but the present invention is not limited to the Pentium Pro 
architecture, and equally applicable to any processor archi- 
tectures in general. 

The saving of the context informalion in conjunction with 
the exception occurrence takes place in the following case. 
When the exception occurs, an entry corresponding to the 
interruption cause is read oul from a lable called IDT 
(Interrupt Descriptive Table) for describing the exception 
processing, and the processing described there is executed, 
When the entry indicates a TSS, the context information 
saved in the indicated TSS is recovered lo the processor. On 
the other hand, the context information of the process that 
has been executed up until then is saved in the 'PSS region 
specified by a task register 725 at that point. 

Using this automatic context saving mechanism, it is 
possible to save the entire state of the application including 
the program counter and the stack pointer, and detect any 
alteration at a time of the recovery by verifying the signa- 
ture. However, when this automatic context saving is used, 
apart from the fact that a large overhead will be caused by 
the context switching, there arises a problem that il is 
impossible to carry out Ihe interruption processing without 
using the TSS. 

In order to reduce the overhead due to the interruption 
processing, or to maintain the compatibility with Ihe existing 
programs, it is preferable not to use the automatic context 
saving mechanism, but in such a case, the program counter 
will be saved on the stack and cannot be a target of the 
verification, so that it can be a target of tlie alteration by the 
malicious OS. These two cases shoukl preferably used in 
their proper ways according to the purpose. For this reason, 
the microprocessor of this embodiment adopts tlie automatic 
context saving with respect to the protected (encrypted) 
execution codes as a result of attaching more importance to 
the safety. The registers to be automatically saved may not 
necessarily be all registers. 

The context saving and recovery processing in this 
embodiment has the following three major features. 

(1) Ibe contents of the saved context can be decrypted 
only by the microprocessor that generated the context and a 
person who knows the encryption key Kcodc of the program 
that generated the context. 

(2) In the case where the program protected by some 
execution code encryption key X is interrupted and its 
context is saved, its restart processing cannot be applied to 
the restart of a non-protected program or a program 
encrypted by another execution code encryption key Y. 
Namely, the program to be recovered from the interruption 
cannot be replaced by another paigram at a time of Ihe 
restart. 

(3) The recovery of the altered context is prohibited. 
Namely, if the saved context is altered, that context will not 
be recovered. 
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By the above feature (1), il is possible to maintain the 
safety of the context information while enabling the analysis 
of the context informalion by the program vendor. The fact 
that the program vendor has a right lo analyze the context 

5 information is important iu order to maintain the quality of 
Ihe program by analyzing causes of any trouble Ibat 
occurred according to a condition by which the program is 
used by the user. 

Ihe above feature (2) is effective in preventing a situation 

in where an attacker applies the context generated by the 
execution of a program A to another encrypted program 13 
and restarts the program U from a known state saved in the 
context in order to analyze secrets of the data or the codes 
contained in the program TJ or alter the operation of the 

15 program H. Ibis function is also a prerequisite for the data 
protection to be described below in which each one of a 
plurality of applications maintains own encrypted data 
exclusively and independently from die others. 

By the above feature (3), it is possible to strictly eliminate 

zn the alteration of the context information utilizing an occa- 
sion of the restart of the program. 

The reason for providing such a function is that simply 
cncryp lm S the context information according to the secret 
information of the processor can protect the context infor- 

25 mation from the alteration according to the intention of the 
attacker, but it is impossible to eliminate a possibility for the 
random alteration of the context that results in the restart of 
Ihe program from a state with random errors. 
In the following, the context saving and verification 

30 method incorporating the above three features will be 
described in further detail. 
<Contcxt Saving Proccssing> 

FIG. 10 shows the context saving format in this embodi- 
ment conceptually. It is assumed that the interruption due to 

35 Ihe hardware or software related cause has occurred during 
the execution of ihe protected program. If the IDT entry 
corresponding to the interruption indicates a TSS, the execu- 
tion state of the program up lo lhal point is encrypted, and 
saved as the context information in a TSS indicated by the 

4i > current task register 725 (rather than the indicated TSS 
itself). Then, the execu tion st ate saved in the TSS indicated 
by the IDT entry is recovered to the processor. If the IDT 
entry does not indicate a 'ISS, only the encryption or the 
iniliaUzalion of Ihe current registers is carried out, and Ihe 

45 saving into the TSS docs not takes place. Of course the 
restart of that program becomes impossible in that case. 
Note however that the system registers including a part of 
the flag registers and the task register are excluded from a 
target of the encryption or the initialization of the registers 

si) for the sake of continuation of the OS operation. 

Ibe contents of the context shown in I'Ki. 10 are actually 
interleaved, encrypted in block units and stored in the 
memory. Here the information items to be saved will be 
described first. At a top, stack pointers and user registers 802 

55 to 825 corresponding to respective privileged modes arc 
provided, and one word 826 indicating a TSS size and the 
presence/absence of the encryption is placed next. This 
indicates whether the TSS in which the processor is saved is 
cucryptcd or not. Even in the case where the TSS is 

60 encrypt, this region will be maintained in a plaintext form 
without being encrypted. 

After that, data encryption control register (CYO to CY3) 
regions 827 to 830 lhat are added for the purpose of the data 
protection are placed, and a padding 831 for adjusting the 

65 size to the block length is placed. Finally, a value E AVorf<? [Kr] 
832 in which a key Kr used in encrypting Ihe context is 
encrypted by the secret key algorithm using the execution 
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code encryption key Kcode, a value E Kj [Kx] 833 in which 
the key Kr used in encrypting the context is encrypted by 
using the public key Kp of the processor, and a signature 
S^Jmessage] 834 using the secret key Ks oi" the processor 
with respect to them all are placed. Also, a region 801 for a 
link lo the previous task that maintains a call up relationship 
among tasks is saved in a plaintext form in order to enable 
the task scheduling by the OS. 

'Iliese execution code encryption and signature generation 
are carried out by the context information encryption/ 
decryption unit 254 in the exception processing unit 131 
shown in ITO. 4, which is based on a function independent 
from the encryption of the processing target data of the 
execution codes. At a time of saving the context information 
in the TSS, even if some encryption is specified in an address 
of the TSS by the other data encryption function, this 
specification is ignored and the context information is saved 
in a state in which the context is encrypted. 'Hiis is because 
the encryption attributes of the data encryption function arc 
specific to each protected (encrypted) program so that the 
restart of some program cannot depend on that function. 

In encrypting the context, a word in the TSS size region 
826 to be recorded iu a plaintext form is replaced to a value 
"0". Then, the interleaving similar to that explained with 
references to FIGS. 7A and 7B is applied, and the context is 
encrypted. At this point, the padding 831 is set to a size that 
enables the appropriate interleaving in accordance with the 
encryption block size. 

Here, the reason for not encrypting the register values 
directly by the public key Kp of ihe processor or the 
execution code encryption key Kcode is to enable ihe 
analysis of the encrypted context by both the program 
vendor and the processor while prohibiting the decryption of 
the context by the user. 

The program vendor knows the execution code encryption 
key Kcode so that Ihe program vendor can obtain the 
encryption key Kr of the context by decrypting E A - <w J!Kr] 
832 by using Kcode. Also, the microprocessor 101 can 
obtain the encryption key Kr of the context by decrypting 
Li A7 ,[Kr] 833 by using the own secret key Ks. Namely, the 
program vendor can analyze ihe trouble by decrypting the 
context information without knowing the secret key of the 
microprocessor of the user, and the microprocessor 101 
itself can restart the execution by decrypting Ihe context 
information by using the own secret key Ks. 'I*he user who 
does not have either key cannot decrypt the saved context 
information. Also, the user who does not know tlie secret key 
Ks of the microprocessor 101 cannot forge the context 
information and the signature S A .^[ message] with respect to 
^AwlKr] and li Aj? [Kr]. 

In order to enable the mutually independent decryption of 
the context information by the program vendor and the 
microprocessor, it is also possible to consider a method tor 
encrypting the context information directly by using Kcode. 
However, in the case where the register state is already 
known, there is a possibility for the known- plaintext attack 
against the execution code encryption key Kcode. Namely, 
when a value of the key for encrypting data is fixed, the 
following problem arises. Consider the case of executing a 
program which reads a data input by the user and writes it 
into a working memory temporarily by encrypting it. The 
data that arc to be encrypted and written into the working 
memory can be ascertained by monitoring the memory, so 
that the user can repeal the input many times by changing the 
input value and obtain the corresponding encrypted data. 
This implies IbaL the chosen- plaintext attack of the cryp- 
to analysis theory is possible. 
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The known-plaintexl attack is not fatal to Ihe secret key 
algorithm, but it is still preferable to avoid that. I'br this 
reason, a random number Kr is generated at a random 
number generation mechanism 252 of the exception pro- 

5 cessiug unit 131 at each occasion of the context saving, and 
supplied Lo Lhe context information encryption/decryption 
unit 254. The context information encryption/decryption 
unit 254 encrypts the coutext by the secret key algorithm 
using the random number Kr. Then, the value li K >., jrf jKr] 

in 832 in which the random number Kr is encrypted by the 
same secret key algorithm using the execution code encryp- 
tion key Kcode is attached. I*he value li^Kr] 833 is 
obtained by encrypting the random number Krby the public 
key algorithm using the public key Kp of the microproces- 

t5 sor. 

Here, lhe raudom number is generated by the random 
number generation mechanism 252. In the case where the 
program is encrypted, normally there is no change in the 
program codes so that the corresponding plaintext codes 

2n cannot be acquired illegally as long as the operation is not 
analyzed. In this case, there is a need to carry out the 
"riphcrtcxt-only attack" in order to cryptoanalyzc, so that it 
is very difficult to find the encryption key. However, in the 
case where the data entered by the user arc to be stored into 

25 the memory by encrypting them, the user can freely select 
the input data. For this reason, it is possible for the user to 
make the "chosen-plaintext attack" against the encryption 
key which is far more eil'eclive than Ihe "ciphertexi-only 
attack". 

30 AgainsL Ihe chosen-plaintext attack, it is possible lo adopl 
a measure for enlarging Lhe search space by adding a random 
number called "salt" iuto the plaintext to be protected. 
However, it is very tedious lo implement the saving into the 
memory in a form where the "salt" random number is 

35 incorporated in every data at Ihe application prograniming 
level, so that this can cause the lowering of the programming 
elliciency and performance. 

For this reason, the random number generation mecha- 
nism 252 generates Ihe random number (encryption key) for 

40 encrypting the context at each occasion of the context 
saving. As the encryption key can be selected arbitrarily, 
there Is also an effect that the safe communications between 
processes or between processes and devices can be realized 
faster. This is because Ihe speed for encrypting data by the 

45 hardware at a time of the memory access is far slower in 
general than the speed for encrypting data by the software. 

On the contrary, if the value of the encryption key for the 
data region is limited to a prescribed value such as that 
identical to the execution code encryption key for example, 

5t> then it Incomes impossible to use the data encryption 
function of the processor for the other programs encrypted 
by the other encryption keys or the sharing of the eucryptcd 
data with the devices, so that it becomes impossible to lake 
advantage of the fast hardware encryption function provided 

55 in the processor. 

Note that the decryption of the encrypted random number 
Ej&*»,fc[Kr] 832 that takes place at a time of the restart and 
the generation of the signature 834 can be based on any 
algorithm and secret information as long as a condition that 

00 they can be carried out only by the microprocessor 101 is 
satisfied. In the above example, Ihe secret key Ks unique lo 
the microprocessor 101 (which is also used for the decry p- 
lion of the execution code encryption key Kcode) is used for 
both, but respectively dilferenl values may be used for these 

65 purposes. 

Also, the saved context contains a Hag indicating the 
presence/absence of the encryption, so that the encrypted 
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context information and Ihe non-encrypted conlexl informa- 
tion can coexist according to the ueed. JTic TSS size and the 
Hag indicating Ihe presence/absence of the encryption are 
stored in a plaintext form so thai it is easy to maintain Ihe 
compatibility with respect to the past programs. 

<Processing for Restarting Ihe Interrupted Program> 

At a time of restarting the process by recovering the 
context, the OS issues a Jump or call instruction with respect 
to a TSS descriptor indicating the saved IXS. 

Returning now to l*'KS. 4, the execution code encryption 
key and signature verification unit 257 if the exception 
processing unit 131 verifies the signature message] 834 
by using the secret key Ks of the processor first, and sends 
the verification result to the exception processing unit 255. 
In the case where the verification result is failure, the 
exception processing unit 255 stops the restart of the execu- 
tion of the program, and causes the exception. Hy this 
verification, it is possible to confirm that the context infor- 
mation is surely generated by the proper microprocessor 101 
that has the secret key and not altered. 

When the verification of the signature succeeds, the 
context information cncryptioiVdccryption unit 254 obtains 
the random number Kr by decrypting the context encryption 
key E^Kr] 833 by using the secret key Ks. On the other 
hand, the execution code encryption key Kcodc correspond- 
ing to the program counter (EIP) 809 is taken out from the 
page table buffer 230, and sent to the current code encryp- 
tion key memory unit 251. The context information 
encryption/decryption unit 254 decrypts E AVo</ir [Kr] by using 
Ihe execution code decryption key Kcode, and sends the 
result to the execution code encryption key and signature 
verification unit 257. The execution code encryption key and 
signature verification unit 257 verifies whether Ihe decryp- 
tion result of Ej^^dTCr] 832 coincides with Ihe decryption 
result of the microprocessor using the secret key Ks or not. 
By this verification, it is possible to confirm lb a I this context 
information is generated by Ihe execution of the execution 
codes encrypted by using the secret key Kcode. 

II this verification of the execution code encryption key 
with respect to the context information is not carried out, it 
woukl become possible for the user to make an attack by 
producing codes encrypted by using any suitable secret key 
Ka and applies the context information obtained by execut- 
ing these codes to the codes encrypted by the other secret 
key Kb. The above verification eliminates a possibility of 
tins attack and guarantees the safety of the context infor- 
mation for the protected codes. 

'Hi is object can also be achieved by adding a secret 
execution code encryption key Kcodc to the context 
information, but in this embodiment, by the use of the value 
li AcWc [Kr] in which a secret random number Kr used in 
encrypting the context information is encrypted by using the 
execution code encryption key Kcode selected by the pro- 
gram vendor, it is possible to reduce the amount of memory 
required for saving the context information so as to achieve 
the effects of the fast context switching and the memory 
saving. This also enables the feedback of the context infor- 
mation to the program creator. 

Now, when the verification of the execution code encryp- 
tion key and the verification of the signature by the execu- 
tion code encryption key and signature verification unit 257 
both succeed, the context is recovered to the register file 253, 
and the program counter value is also recovered so that Ihe 
control is returned to an address at a lime of the execution 
interruption that caused to generate this context. 

When either one of these verifications fails so thai Ihe 
exeeption processing unit 255 causes the exception to occur, 
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an exception occurrence address indicates an address at 
which the jump or call instruction is issued. Also, a value 
indicating illegality of the 'I^SS is stored into an interruption 
cause field in the IDT table, and an address of a jump target 

5 TSS is stored into a register that stores an address that is the 
cause of the interruption. In this way, the OS can learn the 
cause of the context switching failure. 

Note that, in order to realty tlie Faster resiart processing, 
it is also possible to use a configuration in which the supply 
of the execution state encrypted by the context information 
encryption/decryption unit 254 to the register file 253 and 
Ihe verification processing by the execution code encryption 
key and signature verification unit 257 arc carried out in 
paralfcl, and the subsequent processing is stopped when the 
verification fails. 

15 The safely of this encryption scheme using a random 
number depends on the impossibility to predict a random 
number sequence used, and a method for generating by 
hardware a random number lhal is very hard to predict is 
disclosed in Onodera, el al., Japanese Patent No. 2980576. 

20 The analysis of the context information by the program 
vendor is important in improving the quality of the program 
by analyzing the causes of any trouble in the program that 
occurred according to a condition by which the program is 
used by the user. In this embodiment, in view of this fact, the 

25 above described scheme for realizing both the safety of the 
context and the capability of the context information analy- 
sis by the program vendor is employed, but it is also true that 
the use of (his scheme increases the overhead of the context 
saving. 

30 Moreover, the verification of Ihe conlexl information by 
using the signature made by the microprocessor prevents the 
execution of the protected codes in the illegal context 
information by using a combination of arbitrarily selected 
value and encryption key, but this additional protection also 

35 increases the overhead. 

Consequently, in the case where there is no need for the 
capability of the conlexl information analysis by ihe pro- 
gram vendor or a mechanism for eliminating the program 
resiart using the Illegal context information, Ihe context 

40 information containing information for identifying the 
execution code encryption key may be directly encrypted by 
using the secret key of die processor, liven in such a case, it 
is still possible to make the intentional alteration of the 
conlexl cryplographically impossible, and prevent Ihe con- 

45 text information from being applied to a program encrypted 
by using a different encryption key. 

1 lere, the context saving format wilt be described furtlier. 
Its relationship with the operation will l^e described later. 
In FIG. 10, an U R" bit 825-1 is a bit indicating whether the 

50 context is restartable or not. When this bit is set to " I", the 
execution can be restarted by recovering the state saved in 
the context by the above described recovery' procedure, 
whereas when this bit is set to "(I", the restart cannot be 
made. This has an effect of preventing the restart of the 

55 context in which the illegality is detected during the execu- 
tion of the encrypted 1 program so as to limit the restartable 
contexts to only those in the proper states. 

A "U" bit 825-2 is a flag indicating whether the TSS is a 
user TSS or a system TSS. When this bit is set to "CT, the 

60 saved TSS is the system TSS, and when this bit is set to "F\ 
the saved TSS is Ihe user TSS. The TSS lhal will be saved 
and recovered through the task switching accompanied by 
Ihe change of ihe privilege from the exception entry as 
described above or through a task gale call up is the system 

65 TSS. 

The difference between the system TSS and the user TSS 
lies in whether a lask register indieating a TSS saving 
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location of tbc currently executed program is to be updated <Dala Prolection> 

or not at a lime of the recovery of the TSS. In the recovery Next, the protection of the processing target data of the 

of the system INS, the task register of the currently executed execution codes will be described. 

program will he saved in the link to the previous task region T n t hi s embodiment, me encryption attributes for prolecl- 

801 of the TSS to be newly recovered, and the segment 5 i ng c1atn nro defined in four registers CY0 to CY3 that are 

selector of the new TSS will be read into the task register. On provided inside the microprocessor 101. They correspond lo 

the mher hand, in the recovery of the user 'INS, the update regions 717 to 720 shown in I'KJ. 9. In W«. 9. details of the 

or the task register value w.ll not he carried out. Ilie user istefS cyo to cy2 afe omiUe ^ ancJ Qn , dctafls rf the 

TSS is aimed only at the saving and the recovery of the register TY3 are shown 

register state of the program so that it is not accompanied by .„ * ', M ., . .„ . 
tl r «u ■ n j i 'it) Ulements or the encrvption attribute will now he 

the change ot the privileged mode. . , . . _ . 4l • ~,-» , 

The exception includes a software interrupt used for the described by taking the C Y3 register 717 as an example, 

system call up from the application program In the case of U ™ er m s ot lhc lo f ,cal addr "* l^icatuig a top o the 

the software interrupt for the purpose of the svstcm call up, 1X1 ] * encrypted are specified in a base address 717-1 . 

the general purpose register is often used lor 'the parameter The MZC of the Te S lon lR specified in a size region 717-4. A 

exchange, and there can be cases where the context infor- 15 size * specified in units of the cache line so that there is an 

mation encryption can obstruct the parameter exchange. invalid portion at the lower bits. A data encryption key is 

The software interrupt is generated by the application specified in a region 717-5. Here the secret key algorithm is 

ilself, so that it is possible for the application to destroy used so that the region 717-5 is also used for the decryption 

information of the registers that have secrets, prior to the key, When a value of the encryption key is specified as "0", 

generation of the software interrupt. Under the presumption 20 it implies that the region indicated by that register is not 

of such conditions, it is possible to use a scheme in which encrypted. 

the encryption of the registers is not carried out only in the Among the specifications of the regions, CYO is given the 

case of the software interrupt. Of course, in such a case, the highest priority, and CY1 to CY3 arc given sequentially 

application program creator should take this fact into con- lower priorities in this order. For example, When the regions 

sidcration and design the program such that the secrets of the 25 specified by CYO and CY1 overlap, the attributes of CYO arc 

program can be protected. given the priority over those of CY1 in that region. Also, the 

Next, the suppression of the plaintext program debugging definition of the page table is given tlx: highest priority in the 

function will be described. case of a memory access as the execution code rather than 

The processor has a step execution function which causes as the processing target data, 

the interruption whenever one instruction is executed, and a 30 A debug bit 717-4 is used in selecting whether the data 

debugging function which causes the exception whenever a operation in the debugging slate is to be carried out in an 

memory access with respect to a specific address is made. encrypted state or in a plaintext state. Details of the debug 

These functions may be useful lor the development of bit will be described later. 

programs but I hey can impair the safely of programs that are FIG. 12 shows the information ilow in the encryption/ 

encrypted for the purpose of the secret protection. 35 decryption of the processing target data of the execution 

Consequently, in the microprocessor of this embodiment, codes. Here, the data protection Is made only in the stale 

such debugging functions are suppressed during the execu- where the code is protected, that is the code is executed in 

lion of the encrypted program. an encrypted slate. Noie however lhat the case where the 

The instruction TLB 121 can Judge whether the currently code is executed in the debugging slate lo be described 

executed code is protected or not (encrypted or not). During 40 below will be excluded from this rule. When the code is 

the execution of the protected code, two debugging func- protected, the contents of the data encryption control regis- 

tions including a debug register function and a step execu- ters (which will he also referred to as the encryption attribute 

tion function are prohibited in order to prevent an intrusion registers or the data protection attribute registers) CYO to 

of the encrypted program analysis from a debug Hag or a CY3 are read from the register file 253 shown in FIG. 4 lo 

debug register. 45 a data encryption key table 236 provided inside the data' 1*1 I J 

'ITie debug register function is a function in which a 141. 

memory access range and an access type such as reading/ When some instruction writes data into a logical address 

writing as the execution code or data are set in advance into "Addr", the data TLH 141 Judges whether the logical 

a debug register provided in the processor such that the address " Addr"' is contained in ranges of CYO to CY3 or not 

interruption is caused whenever a corresponding memory 5i> by checking the data encryption key table 236 (see 1*1(5. 4). 

access occurs. In this embodiment, during the execution of As a result of the Judgement, if the encryption attribute is 

the protected code, the contents set in the debug register will specified, the data TLB 141 commands the code encryption 

be ignored so that the interruption for the purpose of the function 212 to encrypt the memory content by the specified 

debugging will not occur. Note however that the case where encryption key at a time of the memory writing of a 

a debug bit is set in the page table is excluded from this rule. 55 corresponding cache line from the LI data cache 218 to the 

The debug bit in the page table will be described later. memory. 

During the execution of a non-protected (plaintext) code, Similarly, in the case of reading, if the target address has 

the interruption will be caused whenever one instruction is the encryption attribute, the data TT.R 141 commands the 

executed if a step execution bit in an EFLAGS register of the data decryption function 219 to decrypt the data by the 

processor is set, but during the execution of the protected ciO specified encryption key at a time of the reading of a cache 

code, this bit will also be ignored so that ihe interruption will line out to the corresponding LI data cache 21K. 

not occur. In this embodiment, the data encryption attributes are 

In this embodiment in addition to the encryption of the protected from the illegal rewriting including the privilege 

execution codes for the purpose of preventing the analysis, of ihe OS by placing all ihe daia encryption attributes lor the 

these functions make the analysis of the program by the user 65 data encryption in the registers inside the microprocessor 

difficult by preventing the dynamic analysis of the program 101 and saving the contents of the registers at a lime of the 

using ihe debug register or the debug 11 ag. execution interruption as ihe context information in a safe 



PAGE 98/1 02 * RCVD AT 5/24/2007 12:37:50 AM [Eastern Daylight Time] * 8VR:USPTO-EFXRF-6/18 * DNIS:2738300 * CSID:(661) 460-1986 



* DURATION (mm-ss):60-38 



5/23/2007 10:38 PM FROM: (661) 460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 098 OF 101 



US 6,983,374 B2 



29 



30 



form into a memory (the main memory 281 of FIG. 4, lor 
example) external ol" the microprocessor 101. 

'Hie data encryption/decryption is carried out in units of 
tlie cache line that is interleaved as described alxive in 
relation to the context encryption. For this reason, even 
when one bit of the data on the LI cache 114 is rewritten, the 
other hits in the cache line will be rewritten on the memory. 
The execution of the data reading/writing is carried out 
collectively in units of the cache line, so that the increase of 
the overhead is not so large, but it should be noted that the 
reading/writing with respect to the encrypted memory 
regions cannot be carried oul in units less I rum or equal to Ihe 
cache line size. 

In the above, the method for protecting the data by 
encryption in this embodiment has been described. By this 
method, on the main memory, it is possible to process Ihe 
encrypted data by encrypting them inside the processor by 
using the encryption key and the memory range specified by 
the application program, and read/write Ihem as plaintext 
data from a viewpoint of Ihe application. 

Next, two mechanisms for preventing reading of the data 
stored in a plaintext form in the cache memory inside the 
processor by a program other than the encrypted programs 
that has read these data (which will be referred to as the other 
program) will be described. 

First, the program is identified by its encryption key. This 
identification is made by using a key object identifier used 
at a time of decrypting the currently executed instruction 
inside the processor. Here, a value of the key itself may be 
used for this identification, but a value of the execution code 
decryption key has a rather large size or 1024 bits before Ihe 
decryption or of 128 bits after the decryption which would 
require an increase of the hardware size, so that the key 
object identifier which has a total length of only 10 bits is 
used. 

The Ll instruction cache 213 in which the decrypted 
execution codes are to be stored has un attribute memories 
in correspondences to the cache lines. When the decrypted 
execution codes are slored into Ihe Ll instruction cache 213 
by Ihe code decryption function 212, the key object identifier 
is written into the attribute memory. 

Also, in the case of reading Ihe encrypted data from the 
memory and decrypting it, the contents of the data protection 
attribute registers C'YO to CY3 are read out from the register 
file 253 to a protection lable management function 233 of Ihe 
data TI.H 141. At this point, the key object identifier 
corresponding to the currently executed instruction is also 
read from the current code encryption key memory unit 251 
at the same time and maintained in the protection table 
management function 233. 

Similarly as in the case of the instruction cache, the data 
cache 218 has attribute memories in correspondence to the 
cache lines. When the data read out from the memory is 
decrypted by the data decryption function 219 and stored 
into the Ll data cache 218, the key object identifier is written 
into the attribute memory from the protection tabic man- 
agement function 233. 

When some instruction is executed and the data referring 
is carried out, the key object identifier written in the attribute 
of the data cache and the key object of that instruction in the 
instruction cache arc compared by the secret protection 
violation detection unit 256. If they do not coincide, the 
exception of the secret protection violation occurs and the 
data referring falls. In the case where Ihe attribute of Ihe data 
caehe indicates a plaintext, the data referring always suc- 
ceeds. 

Note thai, when the attributes of (he instruction and Ihe 
data do not coincide, instead of causing the exception, it is 
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also possible lo discard Ihe content ol this data cache and 
re -read the data from the memory once again. 

For example, consider program-I and program-2 Lor 
which the execution code encryplion key as well as Ihe data 
protection attribute registers CY0 to CY3 are ditferent. If the 
encrypted data referred and written inlo the cache by the 
program-1 is to be referred by the program-2, the program-2 
will read out a different data. This operation is in accord with 
the purpose of protecting secrets. 

If two programs have the same data encryption key and 
data at the same address are referred by them, the same data 
will be read so that this data can be shared between them. 

In this way, in this embodiment, data generated by some 
program-1 can be protected from being referred by another 
program-2 by providing a function for maintaining attributes 
of the instruction to be executed and the data indicating 
programs to which they originally belong, and comparing 
the attributes to see if they coincide or not at a time of the 
data referring due to the instruction execution. 

<Entry Gate> 

In this embodiment, the cases where the control can be 
shifted from the non-protcctcd code to the protected code arc 
limited only to the following two cases: 

(1) the case where the context encrypted by using the 
execution code encryption key (that is, the context having a 
random number) that coincides with a rest an address is to be 
restarted; and 

(2) the case where the control is shifted from a non- 
protected code to an entry gate instruction ("cgatc" 
instruction) of the protected code, by the execution of Ihe 
consecutive codes or by a Jump or call instruction. 

This limitation is placed in order to prevent an attacker 
from obtaining information on code fragments by executing 
Ihe code from arbitrary position. The procedure for the 
above (1) has already been described in relation to the 
context recovery. Namely, the control is shifted lo the 
execution of the protected code only when it is verified thai 
Ihe context information matching with the execution code 
encryption key of Ihe code I hat was executed immediately 
before the interruption is contained, and that the proper 
signature given by the microprocessor 101 is attached. 

'1 Tie above (2) is a processing for prohibiting a transition 
to the execution of the protected code unless a special 
instruction called entry gale (''egale") instruction is executed 
at the beginning of the control in tlie case of shifting the 
control from the no n -protected code to the protected code. 

I'ICi. 11 shows a procedure for switching a protection 
domain based on the entry gate instruction. "I lie micropro- 
cessor 101 is maintaining the encryption key of the currently 
executed code in the current aide encryption key memory 
unit 251 (see I -ICS. 4) of the exception processing unit 131. 
First, whether the value of this key is changed in conjunction 
with the execution of the instruction or not is judged (step 
601). When the change of the key value is detected (step 601 
NO), whether the instruction executed in conjunction with 
the change is an entry gate ("cgatc") instruction or not is 
checked next (step S602). If it is the entry gate instruction, 
it implies that it is a proper instruction so that the control can 
be shifted to the changed code. Consequently, when it is 
Judged as an entry gate instruction (step 602 YES), this 
instruction is executed. 

On the other hand, when it is Judged as not an entry gate 
instruction (slep 602 NO), it implies Lhal the interrupted 
instruction is an improper instruction. In this case, whether 
the instruction that was executed immediately previously is 
an encrypted (protected) instruction or not is judged (step 
603). If it is a n on -protected instruction, the exception 
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processing can lake place directly, bill if il is a pro tec led 
instruction, there is a need to carry out die exception 
processing while protecting I ha I instruction. 

Consequently, when it is judged as a non-piolecied 
instruction (step 603 NO), the exception processing is car- 
ried out directly, whereas when il is Judged as a protected 
instruction (step 6003 YliS), the non-restartable exception 
processing is carried out while maintaining the protected 
state. 

Hy this limitation of the control shifting, the direct shift- 
ing of the control from a plaintext code to a code at a 
location other than that of the entry gate instruction is 
proh ibited. 1 "he context recovery implies the recovery of the 
state that was already executed once by that program 
through the entry gate. Consequently, the execution of the 
protected program must pass through the entry gate. By 
suppressing locations for placing the entry gate to the 
minimum necessary number in the program, there is an 
effect of preventing an attack for guessing a program struc- 
ture hy executing the program from various addresses. 

Also, at this entry gate, the initiahzation of the data 
protection attribute registers is carried out. When the entry 
gate is executed, a random number Kr is loaded into a key 
region (a region 717-5 in CY3) of the data protection 
attribute registers CY0 to CY3 717 to 720 shown in FIG. 9 
The encryption target top address is set to "0", the size is set 
to an upper limit of the memory, and the entire logical 
address space is set as Ihe encryption target. If the debug 
attribute is not set in the execution code, the debug bit (717-3 
in CY3) is set as non-debugging. 

In other words, at a liming of the encryption code execu- 
tion start, all the memory accesses arc encrypted by using 
the random number Kr determined at a lime of the entry gate 
execution. Also, in the execution code encryption control, 
Ihe definition in the page table is given a higher priority as 
already mentioned above. This random number Kr is gen- 
erated independently from the random number used in Ihe 
context encryption. 

By this mechanism;, a protected program Lo be newly 
executed is set to be always encrypted by using a key 
determined randomly at a lime of the start of all the memory 
accesses. 

Of course, in this state the entire memory region is 
encrypled so thai it is impossible to give parameters of the 
system call through the memory or exchange data with the 
other programs. I 'or this reason, the program carries out the 
paicessing by sequentially adjusting its own processing 
environment by setting the data protection attribute registers 
such that the necessary memory region can be converted into 
plaintext so that it becomes accessible. Uy leaving the 
register CY3 with a lowest priority in the initial setting of 
being encrypted by using the random number, while setting 
the encryption key "0" as the plaintext access setting for the 
other registers, it is possible to reduce a risk of accessing an 
unnecessary region as a plaintext and writing data to be kept 
in secret by encryption out to a plaintext region by error. 

The contents of the registers other than the data protection 
attribute registers arc not encrypted even in the initialization 
at the entry gate, and pointers for specifying locations of 
stacks or parameters can be stored therein. However, cares 
should be taken in the processing of the program lo be 
executed through the entry gate so that secrets of the 
program will ool be stolen by calling up the entry gate by 
setting illegal values into ihe registers. 

It is also possible to use a configuration for initializing all 
Ihe registers other than Ihe Hags and Ihe program counter, 
including the general purpose registers other than Ihe data 
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protection attribute registers, a I the entry gale in the case of 
attaching more importance to the safety, even though this 
provision makes Ihe programming more restrict ed and Ihe 
efficiency poorer. Even in this case, the parameters such as 

5 stacks can be exchanged through a memory region specified 
by a relative address or an absolute address of the program 
counter. Note however that, similarly as in tlie case of the 
context saving, the system registers including a part of the 
flag registers and the task register are excluded from a target 

in of the encryption or the initialization of the registers for the 
sake of continuation of the OS operation. 

In this way, in the microprocessor 101 of this 
embodiment, the fragments, execution of the protected code, 
especially the illegal setting of the data protection state, is 

15 prevented, as the first instruction to be executed at a time of * 
shifting the control from the program in the plaintext state to 
the protected program is limited to the entry gate instruction 
and the registers including the data protection attribute 
registers arc initialized by the execution of the entry gate 

in instruction. 

Next, the execution control of the protected program will 
be described. First, the call up and the branching that arc 
closed within the protection domain will be described, The 
call up within the protection domain is exactly the same as 

25 that for the usual programs. FIG. 13 shows the call up and 
the branching within the protection domain conceptually. 

The execution of the code 1101 in the protection domain 
is started as a thread 1121 outside the protection domain is 
branched into an "cgatc" (entry gate) instruction of the 

30 protection domain. By the execution of the "egale" 
instruction, all Ihe registers are initialized, and then Ihe data 
protection attributes arc set up sequentially by the execution 
of Ihe program. The control is shifted to a branch large I 
"xxx" 1U1 in Ihe protection domain by a "imp xxx" 

35 instruction (processing 1122), and a "call yyy" instruction 
located at an address *'ppp" 1112 is executed (processing 
1123). The calling source address "ppp" 1112 is pushed into 
a slack memory 1102, and Ihe control is shifted lo a call 
large! "yyy" 1113. When Ihe processing at Ihe call largel is 

41) completed and a "ret" instruction is executed, the control is 
shifted to a return address "ppp" 1112 in the slack. There is 
no limitation on the execution control while the execution 
code encryption key remains the same. 

Next, the call up and the branching from a protection 

45 domain to a non -protection domain will be described. I or 
this control shifting, the execution of a special instruction 
and the operation of the user TSS to be described l>elow will 
be carried out in order to avoid a shifting from a protection 
domain to a non-protcctiou domain that is not intended by 

5i) the program creator and to protect the data protection state. 
IK J. 14 shows the call up and the branching from a 
protection domain to a non-protected domain conceptually, 
where an execution code 1201 of the protection domain and 
an execution code 1202 of the non-protection domain are 

55 placed in respective domains. Also, a user TSS region 1203 
and a region 1204 for exchanging parameters with the 
non-protection domain arc provided. 

The execution begins when a thread 1221 executes the 
cgatc" instruction. The program of the protection domain 

60 saves the address of the user TSS region 1203 in a prescribed 
parameter region 1204 before calling up Ihe code of the 
non-protection domain. Then, the code of the non-protection 
domain is called up by executing the "ecall w instruction. The 
"ecair instruction takes two operands. One is a call largel 

65 address, and the other is a saving target of the execution 
slate. The "ecall" instruction saves the register slate at a lime 
of the call up (or more accurately the register slate when the 
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program counter is in a slale afler Ihe "ecalT iosiruclion is 
issued) into a region specified by Ihe operand "uTSS", in a 
format similar to that in the case of the encrypted 'I'SS 
deserihed alxwe. In the following, this region will be 
referred to as a user TSS. 

The difference between the xiscr TSS aud the system TSS 
lies in that, in the user register shown in FIG. 10, a U Hag 
is set in a region 825-2 on the TSS. The difference in the 
operation will be described later. In the saving of Ihe user 
TSS into the memory, the data protection attributes defined 
in the data protection aliribule registers CY0 to CY3 by the 
user are not applied, similarly as in the case ol the saving of 
the context information into the system TSS. 

The call target code of the n on -protect ion domain cannot 
exchange parameters because the registers arc initialized by 
the execution of Ihe "ecall" iosiruclion. For Ihis reason, Ihe 
parameters arc acquired from a prescribed address u param" 
1204, and the necessary processing is carried out. There is 
□o limitation on the programming in the non-protection 
domain. In the example of FIG. 14, a sub-rouline "qqq" 
1213 is called up (processing 1225). The call up from the 
protection domain can be adapted to the call up semantics of 
Ihe sub-rouline "qqq" by placing an adaptor code lor copy- 
ing slack pointer selling and Ihe parameters lo the slack, 
between "exx" and the call up of M qqq", for example. Ilie 
processing result is sent to the calling source through the 
parameter region 1204 on the memory (processing 1226). 
When the processing of the sub-routine is completed, a 
"sret" instruction is issued in order to return the control to 
the calling source protection domain (processing 1227). 

The "sref instruction takes one operand tor specifying 
the user TSS, unlike the "ret" instruction that has no 
operand. I lere, the user 'l"SS 1203 is specified indirectly as 
Ihe recovery information through a poinler stored in Ihe 
parameter region "param" 1204. The recovery of the user 
TSS by the "sret" instruction largely differs from the recov- 
ery of the system 'ISS in thai the task register is not affected 
at all even when ibe user TSS is recovered. The lask link 
field of the user TSS will be ignored. The recovery will fall 
when the system TSS with the U flag 825-2 set to *tr is 
specilied in the operand of the *'srel" instruction. 

At a lime of the execution of ihe recovery, the decryption 
of the execution state and the verification of the execution 
code encryption key and the signature already described 
above are carried out, and when the violation is delected, Ihe 
exception of the secret protection violation will occur. When 
the verification succeeds the execution is restarted from an 
instruction next to the calling source "ecall" instruction, lliis 
address is encrypted and signed in the user TSS, so mat it is 
cryptographically impossible to forge this address. All the 
registers except for the program counter will be set back to 
the state before the call up, so that the code of the protection 
domain acquires the execution result of the sub-routine 
"exx" from the parameter region 1204. 

At a time of shifting the control to the n on -protect ion 
domain after the processing of the pro Lection domain is 
completed, an "cjmp" instruction is used. The "cjmp" 
instruction does not carry out the saving of the state, unlike 
the "ecall" instruction. If Ihe control is shifled from Ihe 
protection domain lo the nou-proteclion domain by Ihe 
instruction other than "ccall" and *'cjmp", such as "Jmp" or 
"call", the exception of the secret protection violation occurs 
and the encrypted context information is saved in the TSS 
region (a region indicated by the task register) of the system. 
Hole that the context information will be marked as non- 
restartable at this point. Note also that specifying an address 
in Ihe protection domain as a jumping targe L of ihe "ejmp" 
instruction does not cause the violation. 

'Ihis completes the description of a procedure for call up 
from the protection domain to the non-protection domain 
and newly added instructions used in that procedure. 
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At a lime of Ihe recovery of Ihe user TSS by Ihe 
application, an attack for substituting the user TSS by the OS 
which has privileges is not entirely impossible. However, the 
interchangeable TSS information in such a case is only the 
5 context information whose execution is always started 
through the "egate" and which is saved by the saving of the 
execution stale caused by Ihe in lerru prion or by the user 
explicitly, as long as ihe execution code encryption key of 
the protection domain is managed correctly. A possibility for 
the leakage of the secrets of the application due to the 
interchange of this context information is quite small, and il 
is quite difficult for an attacker to guess what kind of the 
context information interchange is necessary in acquiring 
the secrets of the application. 

The procedure for call up from the protection domain to 
15 the non-protection domain described above is also appli- 
cable to a procedure for shifting the control between the 
protection domains, if the instruction lo be executed liisl al 
the call target is the "egate" instruction of the calling source 
side. 

zr> In this case, the call up between the protection domains 
can be carried oul safely by encrypting ihe region for 
exchanging parameters between these protection domains, 
by using an encryption key that is shared by carrying out the 
authentication key exchange between Ihese protection 

2 ^ domains in advance. 

As described, according to the microprocessor of the 
present invention, it becomes possible to prevent the illegal 
analysis by ihe OS or a ihird party by protecting bolh the 
execution codes and the processing target data of Ihe execu- 
tion codes by using the encryption, under the multi-task 
environment. 

Also, it becomes possible to prevent, the illegal rewriting 
of the encryption attributes in the case of saving the 
encrypted data. 

Also, it becomes possible 1o protect the encrypted data 
* s from illegal attacks by using arbitrary random number Kr 
rather than a fixed key as the encryption key for the 
processing target data. 

Also, it becomes possible lo carry out Ibe debugging in 
the plaintext state, and when errors are found, a feedback on 
4i > the errors can be provided to the program vendor who knows 
Ihe execution code encryption key. 

Also, il becomes possible to prevent an increase of the 
memories in the microprocessor and suppress the cost of the 
microprocessor by saving information that required the 
45 secret proleclion such as the encryption aliribule information 
on an external memory by attaching a signature of the 
microprocessor, reading only the necessary portion into the 
registers inside the microprocessor, and carrying out the 
verification of the signature a l a lime of reading. In Ibis 
scheme, ihe safely against ihe substitution at a lime of the 
s " reading can also be guaranteed. 

It is also to be noted that, besides those already mentioned 
above, many modifications and variations of the above 
embodiments may be made without departing from the 
novel and advantageous features of the present invention. 
55 Accordingly, all such modifications and variations are 
intended to be included within the scope of the appended 
claims. 

What is claimed is: 

1. A microprocessor having a unique secret key and a 
00 unique public key corresponding to the unique secret key 
lhal cannoi be read out lo external, comprising: 

a reading unit configured lo read out a plurality of 
programs encrypted by using different execution code 
encryption keys from an external memory; 
05 a decryption unit configured to decrypt the plurality of 
programs lead oul by the reading unii by using respec- 
tive decryption keys; 
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an execution unil conligured lo execule Ihe plurality or informal ion from Ihe external memory decrypting Ibe 

programs decrypted by the decryption unit; temporary key from the second value contained in the 

a context information saving unit configured to save a encrypted context information by using the secret key, 

context information for one program whose execution decrypting the information indicating the execution 

is to be interrupted, into the external memory or a 5 state from the first value contained in the encrypted 

context information memory provided inside the context information by using a decrypted temporary 

microprocessor, the context information containing key, and recovering Ihe execution slate of the one 

information indicating an execution state of the one program from a decrypted context information; and 

program and the execution code encrypt™ key of the lhe conlexl information saving unil saves the encrypted 

one program, and context information that also contains a third value 

a restart unit configured to restart an execution of the one obtained by encrypting the temporary key by using the 
program by reading out the context information from execution axle encryption key of lhe one program, 
ihe external memory or the conlexl information 2 /Hie microprocessor of claim 1, wherein Ihe restart unit 
memory, and recovering the execution state of the one d % ^ L k from Ihe second value con- 
program born the context information; • tajned J(| , hc encryptcd context j n f ormation by using the 

wherein the context information saving unit is configured secret key and decrypts the information indicating the 
lo generale a random number as a lemporary key, to execution state from the first value contained in the 
encrypi Ihe conlexl information, and to save an encrypted context information by using the first decrypted 
encrypted context information into the external 2f) temporary key, while decrypting a second temporary kev 
memory, the encrypted context inlbrmaiion containing f mm the third value contained in the encrypted context 
a first value obtained by encrypting information indi- information by using the execution code encrVption key of 
eating the execution state of the one program by using tn0 ooc program, and restarts the execution of the one 
the temporary key and a second value obtained by program only when the first decrypted temporary key coin- 
encrypting the temporary key by using the public key; 25 c ft QS ^ib the second decrypted temporary key. 

the restart unit is configured to restart the execution of the 

one program by reading out the encrypted context • * ♦ * * 
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